Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an enterprise-level threat for businesses vulnerable to an attack. Different iterations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict harm. Recent versions of crypto-ransomware such as Ryuk and Hermes, along with more unnamed viruses, not only encrypt on-line files but also infect any accessible system backup. Data synched to cloud environments can also be encrypted. In a poorly designed data protection solution, this can make automated recovery impossible and effectively knocks the network back to zero.

Retrieving programs and information after a ransomware attack becomes a sprint against time as the targeted business tries its best to stop lateral movement and eradicate the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, penetrations are usually sprung during nights and weekends, when successful attacks are likely to take longer to detect. This multiplies the difficulty of quickly assembling and coordinating an experienced response team.

Progent has a range of services for securing organizations from crypto-ransomware penetrations. Among these are staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence technology to quickly identify and quarantine new threats. Progent also offers the services of experienced crypto-ransomware recovery engineers with the skills and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the critical components of your IT environment. Absent the availability of full system backups, this requires a wide complement of skills, top notch team management, and the capability to work 24x7 until the task is complete.

For twenty years, Progent has offered certified expert IT services for companies in Manchester and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise gives Progent the ability to knowledgably understand necessary systems and organize the remaining parts of your IT system following a ransomware penetration and assemble them into an operational system.

Progent's security group has best of breed project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and IT resources to assign priority to tasks and to put the most important applications back online as soon as possible.

Customer Case Study: A Successful Ransomware Attack Restoration
A business escalated to Progent after their company was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, possibly using algorithms leaked from the United States National Security Agency. Ryuk seeks specific companies with little or no room for disruption and is one of the most lucrative incarnations of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago with around 500 employees. The Ryuk attack had shut down all business operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.


"I canít tell you enough about the care Progent provided us during the most critical time of (our) businesses survival. We would have paid the cybercriminals if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and production servers back in less than a week was something I thought impossible. Each expert I talked with or e-mailed at Progent was urgently focused on getting our system up and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to quickly identify and prioritize the key systems that needed to be addressed in order to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes event mitigation best practices by halting the spread and removing active viruses. Progent then initiated the work of restoring Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the customerís accounting and MRP applications used Microsoft SQL, which depends on Active Directory services for authentication to the database.

Within two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then helped perform reinstallations and hard drive recovery of mission critical applications. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers in order to recover mail information. A recent offline backup of the client's manufacturing systems made them able to return these vital programs back online for users. Although a large amount of work still had to be done to recover fully from the Ryuk event, critical systems were recovered rapidly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer orders."

Over the next couple of weeks critical milestones in the recovery project were completed through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100% functional.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the user desktops and notebooks were fully operational.

"Much of what went on during the initial response is mostly a haze for me, but I will not soon forget the commitment each and every one of you accomplished to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered. This event was a stunning achievement."

Conclusion
A possible business catastrophe was averted due to results-oriented experts, a wide range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware incident detailed here could have been shut down with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed security procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for making it so I could get some sleep after we got over the initial fire. All of you did an fabulous job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Manchester a portfolio of remote monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence technology to uncover new strains of ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to automate the complete threat progression including filtering, detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device management, and web filtering through cutting-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a fixed monthly rate, ProSight DPS automates your backup activities and allows rapid restoration of vital files, apps and virtual machines that have become unavailable or damaged due to hardware failures, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can help you to restore your business-critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to provide centralized control and comprehensive security for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map, track, reconfigure and debug their connectivity appliances such as switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, locating appliances that require important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system running at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT personnel and your Progent engineering consultant so that all looming issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youíre making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-7 Manchester Ransomware Repair Support Services, contact Progent at 800-993-9400 or go to Contact Progent.