Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses unprepared for an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with additional unnamed newcomers, not only encrypt on-line files but also infiltrate any configured system backup. Data replicated to cloud environments can also be ransomed. In a poorly designed system, it can make automated restore operations hopeless and basically knocks the entire system back to square one.

Restoring applications and data after a crypto-ransomware outage becomes a sprint against the clock as the victim struggles to contain the damage and remove the ransomware and to restore enterprise-critical operations. Because crypto-ransomware needs time to move laterally, penetrations are often sprung during nights and weekends, when penetrations in many cases take more time to identify. This multiplies the difficulty of rapidly mobilizing and organizing a capable response team.

Progent offers a variety of solutions for securing businesses from ransomware events. These include team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security appliances with AI technology to rapidly detect and disable zero-day threats. Progent also provides the assistance of veteran ransomware recovery engineers with the talent and perseverance to re-deploy a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
Subsequent to a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to decrypt any or all of your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the essential elements of your IT environment. Absent the availability of complete data backups, this calls for a broad complement of skill sets, professional project management, and the willingness to work continuously until the job is finished.

For two decades, Progent has offered expert IT services for companies in Rochester and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience provides Progent the ability to efficiently identify important systems and re-organize the surviving pieces of your network system after a ransomware event and assemble them into a functioning network.

Progent's recovery team uses state-of-the-art project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of acting quickly and together with a customerís management and IT team members to prioritize tasks and to get critical services back online as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Penetration Restoration
A client hired Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored cybercriminals, suspected of adopting strategies exposed from Americaís National Security Agency. Ryuk targets specific businesses with little or no ability to sustain operational disruption and is one of the most lucrative instances of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area and has about 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the attack and were damaged. The client considered paying the ransom (more than $200,000) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot speak enough about the support Progent gave us during the most critical period of (our) companyís existence. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and production applications back faster than seven days was incredible. Every single consultant I got help from or e-mailed at Progent was laser focused on getting us operational and was working 24 by 7 on our behalf."

Progent worked with the client to rapidly get our arms around and assign priority to the mission critical systems that needed to be restored in order to resume company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping the spread and clearing up compromised systems. Progent then initiated the process of recovering Microsoft AD, the foundation of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's accounting and MRP system used Microsoft SQL Server, which needs Windows AD for security authorization to the information.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then completed reinstallations and storage recovery on key systems. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST files (Outlook Off-Line Data Files) on various desktop computers in order to recover email data. A not too old offline backup of the businesses accounting software made it possible to restore these essential programs back on-line. Although significant work still had to be done to recover totally from the Ryuk virus, essential services were returned to operations quickly:


"For the most part, the manufacturing operation never missed a beat and we delivered all customer shipments."

Over the next few weeks critical milestones in the restoration process were made through close collaboration between Progent consultants and the client:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100% functional.
  • A new Palo Alto 850 firewall was installed.
  • Most of the desktops and laptops were being used by staff.

"A huge amount of what occurred those first few days is nearly entirely a fog for me, but we will not soon forget the care each and every one of your team accomplished to help get our company back. Iíve utilized Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This situation was a Herculean accomplishment."

Conclusion
A possible enterprise-killing catastrophe was dodged due to results-oriented experts, a broad array of technical expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here could have been identified and blocked with current cyber security systems and NIST Cybersecurity Framework best practices, staff training, and properly executed incident response procedures for data backup and applying software patches, the fact remains that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get rested after we made it through the initial push. Everyone did an amazing job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Rochester a variety of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services include modern machine learning capability to uncover zero-day strains of crypto-ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely evade traditional signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the entire threat progression including filtering, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you demonstrate compliance with legal and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables fast recovery of vital files, apps and virtual machines that have become lost or damaged due to component failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's cloud backup consultants can provide advanced expertise to set up ProSight Data Protection Services to to comply with regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security vendors to deliver centralized management and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, track, enhance and debug their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding appliances that need critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network running at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT staff and your Progent engineering consultant so that all looming problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour Rochester Crypto-Ransomware Cleanup Services, contact Progent at 800-993-9400 or go to Contact Progent.