Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that represents an enterprise-level threat for businesses unprepared for an attack. Multiple generations of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict harm. Newer variants of crypto-ransomware such as Ryuk and Hermes, along with daily unnamed newcomers, not only encrypt online information but also infect most accessible system restores and backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, it can render any recovery impossible and effectively sets the network back to square one.

Getting back programs and information after a ransomware attack becomes a sprint against time as the victim fights to contain the damage and clear the crypto-ransomware and to resume business-critical activity. Because ransomware requires time to spread, assaults are often sprung on weekends, when attacks may take more time to uncover. This compounds the difficulty of quickly marshalling and organizing a capable response team.

Progent offers a variety of help services for securing businesses from crypto-ransomware penetrations. These include staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with artificial intelligence capabilities to automatically identify and suppress day-zero threats. Progent in addition can provide the services of expert crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised environment as quickly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed keys to unencrypt any of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the key components of your Information Technology environment. Absent access to complete information backups, this requires a wide complement of IT skills, well-coordinated team management, and the willingness to work 24x7 until the job is finished.

For two decades, Progent has provided certified expert Information Technology services for companies in Winston-Salem and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience gives Progent the skills to efficiently determine important systems and integrate the remaining parts of your Information Technology environment after a crypto-ransomware attack and rebuild them into an operational system.

Progent's recovery team utilizes state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent appreciates the importance of working rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to put key services back on-line as fast as possible.

Client Story: A Successful Ransomware Attack Response
A business sought out Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean government sponsored criminal gangs, possibly using strategies exposed from the U.S. NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is one of the most profitable versions of ransomware viruses. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago and has about 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's backups had been on-line at the time of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.

"I canít speak enough in regards to the support Progent provided us during the most critical period of (our) companyís survival. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent team provided us. The fact that you could get our messaging and key servers back online sooner than a week was earth shattering. Every single person I interacted with or messaged at Progent was absolutely committed on getting us back on-line and was working 24/7 to bail us out."

Progent worked together with the client to rapidly get our arms around and assign priority to the key applications that had to be recovered to make it possible to resume departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent followed Anti-virus event mitigation best practices by stopping the spread and clearing infected systems. Progent then initiated the steps of bringing back online Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the client's MRP system leveraged Microsoft SQL Server, which needs Active Directory for security authorization to the information.

Within 2 days, Progent was able to recover Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery of the most important systems. All Exchange ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST data files (Outlook Off-Line Data Files) on various desktop computers in order to recover mail data. A recent off-line backup of the client's financials/MRP software made them able to restore these essential services back available to users. Although major work needed to be completed to recover fully from the Ryuk virus, essential services were recovered rapidly:

"For the most part, the production operation was never shut down and we made all customer sales."

Over the following couple of weeks key milestones in the restoration process were completed through tight cooperation between Progent engineers and the client:

  • Internal web sites were restored without losing any information.
  • The MailStore Server with over 4 million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were completely functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user PCs were being used by staff.

"So much of what was accomplished in the initial days is mostly a fog for me, but my team will not soon forget the care each of your team accomplished to give us our business back. Iíve been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a testament to your capabilities."

A potential enterprise-killing catastrophe was avoided due to hard-working experts, a wide spectrum of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware incident detailed here would have been disabled with modern security solutions and ISO/IEC 27001 best practices, staff education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, remediation, and file disaster recovery.

"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we made it over the initial fire. Everyone did an incredible job, and if anyone is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Winston-Salem a portfolio of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to detect new strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you prove compliance with legal and industry data protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of critical files, applications and VMs that have become unavailable or damaged as a result of hardware breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver centralized control and comprehensive protection for all your email traffic. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and debug their networking appliances such as routers and switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating complex management activities, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your network running at peak levels by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so any potential issues can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can save as much as half of time spent looking for critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24-7 Winston-Salem Ransomware Cleanup Help, contact Progent at 800-993-9400 or go to Contact Progent.