Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an assault. Different iterations of ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to inflict havoc. More recent strains of ransomware like Ryuk and Hermes, plus frequent unnamed malware, not only encrypt on-line critical data but also infiltrate any available system protection mechanisms. Data synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, this can make any restore operations hopeless and basically sets the network back to zero.

Getting back online programs and data following a ransomware event becomes a sprint against time as the targeted business tries its best to contain the damage and remove the ransomware and to restore mission-critical operations. Due to the fact that ransomware takes time to replicate, penetrations are often sprung on weekends, when attacks may take longer to uncover. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable mitigation team.

Progent has an assortment of support services for protecting businesses from ransomware attacks. Among these are team member training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities to intelligently identify and extinguish new cyber attacks. Progent also can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the keys to decrypt any of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of full data backups, this requires a broad complement of skills, top notch team management, and the capability to work non-stop until the job is completed.

For two decades, Progent has offered certified expert Information Technology services for businesses in Anaheim and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of expertise affords Progent the capability to efficiently understand necessary systems and re-organize the surviving parts of your network system after a ransomware penetration and configure them into a functioning network.

Progent's recovery team of experts utilizes best of breed project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and in unison with a client's management and IT staff to assign priority to tasks and to put key applications back on line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Incident Restoration
A customer contacted Progent after their network was crashed by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored cybercriminals, suspected of using approaches exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with limited room for operational disruption and is among the most profitable versions of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (exceeding $200K) and hoping for good luck, but ultimately called Progent.


"I cannot tell you enough about the expertise Progent provided us during the most critical time of (our) companyís existence. We most likely would have paid the cybercriminals except for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and production applications back into operation in less than 1 week was incredible. Every single consultant I got help from or communicated with at Progent was totally committed on getting our company operational and was working 24 by 7 to bail us out."

Progent worked with the customer to rapidly assess and assign priority to the essential elements that needed to be recovered in order to continue business functions:

  • Windows Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent adhered to Anti-virus penetration response industry best practices by isolating and cleaning systems of viruses. Progent then started the task of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the client's accounting and MRP system leveraged Microsoft SQL, which depends on Active Directory for access to the information.

In less than two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then assisted with setup and hard drive recovery on the most important systems. All Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on various desktop computers and laptops in order to recover mail information. A recent off-line backup of the client's manufacturing systems made it possible to return these required services back online. Although a lot of work still had to be done to recover completely from the Ryuk event, the most important systems were restored rapidly:


"For the most part, the production line operation did not miss a beat and we produced all customer shipments."

Over the following few weeks important milestones in the restoration project were completed through tight cooperation between Progent engineers and the customer:

  • In-house web sites were restored without losing any information.
  • The MailStore Server containing more than 4 million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the desktops and laptops were operational.

"So much of what transpired that first week is mostly a fog for me, but my management will not forget the care each and every one of the team put in to help get our company back. I have been working with Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A potential business catastrophe was avoided with hard-working experts, a broad array of IT skills, and tight collaboration. Although in hindsight the ransomware penetration detailed here could have been identified and blocked with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, user training, and well thought out security procedures for information protection and applying software patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for letting me get some sleep after we made it through the initial fire. All of you did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Anaheim a portfolio of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate next-generation AI technology to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through leading-edge tools incorporated within a single agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with legal and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable end-to-end service for secure backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical data, apps and virtual machines that have become lost or damaged as a result of hardware breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can provide world-class support to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPPA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical information. Read more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway device provides a further layer of analysis for incoming email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and debug their networking appliances like routers, firewalls, and access points as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating devices that require critical software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network running at peak levels by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT staff and your Progent engineering consultant so that any looming issues can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Anaheim Crypto-Ransomware Removal Consultants, contact Progent at 800-993-9400 or go to Contact Progent.