Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause destruction. The latest strains of ransomware such as Ryuk and Hermes, as well as frequent unnamed malware, not only do encryption of online data but also infiltrate most available system restores and backups. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can render automated recovery impossible and effectively knocks the datacenter back to square one.

Getting back online programs and information after a ransomware outage becomes a race against time as the targeted organization struggles to stop the spread and remove the ransomware and to resume business-critical activity. Since ransomware requires time to move laterally, penetrations are frequently sprung during weekends and nights, when penetrations are likely to take more time to discover. This compounds the difficulty of rapidly mobilizing and organizing an experienced response team.

Progent has a variety of solutions for securing enterprises from ransomware attacks. Among these are staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with AI capabilities to intelligently discover and disable new cyber attacks. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the talent and commitment to rebuild a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that distant criminals will provide the codes to unencrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the essential components of your Information Technology environment. Absent the availability of full data backups, this calls for a broad range of skill sets, professional team management, and the willingness to work continuously until the task is finished.

For two decades, Progent has provided certified expert IT services for businesses in Springfield and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded top certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly ascertain critical systems and organize the remaining parts of your computer network environment following a ransomware event and rebuild them into an operational system.

Progent's security team of experts utilizes top notch project management applications to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting quickly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put the most important services back on-line as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A business hired Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, possibly using algorithms exposed from the United States National Security Agency. Ryuk targets specific companies with little or no room for operational disruption and is one of the most lucrative instances of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area and has around 500 employees. The Ryuk attack had frozen all company operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the attack and were damaged. The client considered paying the ransom demand (more than $200,000) and praying for the best, but ultimately made the decision to use Progent.


"I canít thank you enough in regards to the support Progent provided us during the most critical time of (our) companyís survival. We would have paid the cyber criminals behind the attack except for the confidence the Progent experts afforded us. The fact that you could get our messaging and production applications back faster than a week was incredible. Each staff member I spoke to or texted at Progent was hell bent on getting my company operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the mission critical areas that had to be addressed in order to continue departmental operations:

  • Windows Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware penetration mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then began the task of recovering Microsoft AD, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Active Directory, and the customerís MRP software leveraged Microsoft SQL, which requires Windows AD for security authorization to the databases.

In less than two days, Progent was able to recover Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and storage recovery of mission critical applications. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find intact OST data files (Outlook Offline Folder Files) on user desktop computers and laptops to recover mail data. A not too old off-line backup of the businesses accounting/ERP software made them able to recover these required services back online. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, the most important services were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer deliverables."

Over the next few weeks important milestones in the restoration project were made in tight cooperation between Progent engineers and the client:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Server containing more than four million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory modules were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was installed.
  • Nearly all of the user PCs were functioning as before the incident.

"So much of what happened those first few days is mostly a blur for me, but my team will not soon forget the urgency each and every one of you put in to help get our company back. I have entrusted Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered. This time was no exception but maybe more Herculean."

Conclusion
A potential enterprise-killing disaster was dodged by dedicated professionals, a wide range of subject matter expertise, and tight teamwork. Although in hindsight the ransomware virus attack detailed here could have been stopped with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for data backup and proper patching controls, the reality remains that state-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's team of experts has a proven track record in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get some sleep after we got past the initial push. Everyone did an incredible job, and if any of your team is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Springfield a range of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services include next-generation AI capability to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to manage the complete malware attack progression including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer economical in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge tools packaged within a single agent accessible from a single control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent action. Progent can also help your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations an affordable and fully managed solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates and monitors your backup processes and allows fast recovery of critical files, apps and virtual machines that have become unavailable or corrupted due to component failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or to both. Progent's BDR consultants can provide advanced support to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to provide centralized management and comprehensive protection for all your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further level of analysis for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, track, enhance and debug their networking hardware like switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network diagrams are kept current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating complex network management activities, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding devices that need important software patches, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT staff and your assigned Progent engineering consultant so all potential problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For Springfield 24/7/365 Crypto-Ransomware Repair Experts, call Progent at 800-993-9400 or go to Contact Progent.