Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyberplague that represents an extinction-level threat for organizations unprepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to cause havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as frequent unnamed viruses, not only do encryption of on-line information but also infiltrate all available system backups. Data synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, it can make automated recovery hopeless and basically knocks the entire system back to zero.

Retrieving applications and data following a crypto-ransomware intrusion becomes a race against time as the targeted organization tries its best to stop the spread and eradicate the virus and to resume enterprise-critical operations. Due to the fact that crypto-ransomware needs time to spread, attacks are usually launched during weekends and nights, when penetrations typically take longer to uncover. This multiplies the difficulty of promptly assembling and organizing an experienced mitigation team.

Progent provides a variety of help services for securing enterprises from crypto-ransomware attacks. Among these are user education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with AI technology to rapidly identify and extinguish zero-day cyber attacks. Progent also can provide the assistance of expert ransomware recovery consultants with the talent and perseverance to rebuild a breached environment as rapidly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the mission-critical elements of your Information Technology environment. Without access to complete system backups, this requires a wide range of skills, professional project management, and the ability to work non-stop until the task is completed.

For twenty years, Progent has offered certified expert Information Technology services for businesses in Anaheim and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience gives Progent the skills to efficiently understand important systems and integrate the surviving components of your network system after a ransomware penetration and configure them into a functioning system.

Progent's security group deploys powerful project management applications to coordinate the complex restoration process. Progent appreciates the importance of acting swiftly and in concert with a customerís management and IT resources to assign priority to tasks and to get critical applications back on-line as soon as possible.

Client Story: A Successful Ransomware Intrusion Recovery
A client engaged Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored criminal gangs, suspected of using strategies exposed from the United States National Security Agency. Ryuk attacks specific companies with little ability to sustain disruption and is among the most lucrative versions of ransomware malware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area and has about 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately called Progent.


"I cannot thank you enough in regards to the care Progent provided us during the most critical period of (our) companyís life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent experts provided us. The fact that you could get our messaging and important applications back on-line sooner than 1 week was beyond my wildest dreams. Every single consultant I worked with or e-mailed at Progent was totally committed on getting us operational and was working day and night on our behalf."

Progent worked with the client to rapidly determine and assign priority to the critical areas that had to be recovered in order to restart departmental operations:

  • Windows Active Directory
  • Electronic Mail
  • Accounting/MRP
To get going, Progent followed Anti-virus event response best practices by stopping lateral movement and clearing infected systems. Progent then began the work of restoring Microsoft AD, the heart of enterprise systems built on Microsoft technology. Exchange email will not operate without Windows AD, and the client's financials and MRP software leveraged SQL Server, which depends on Active Directory services for authentication to the database.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then performed setup and storage recovery on needed systems. All Exchange schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on user PCs in order to recover email messages. A recent off-line backup of the client's financials/ERP systems made it possible to recover these required services back online. Although major work was left to recover fully from the Ryuk attack, the most important services were recovered rapidly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer sales."

During the next couple of weeks key milestones in the recovery project were made in tight collaboration between Progent team members and the customer:

  • Internal web applications were restored with no loss of data.
  • The MailStore Server with over four million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory Control modules were completely operational.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the desktop computers were functioning as before the incident.

"Much of what transpired that first week is nearly entirely a fog for me, but our team will not soon forget the urgency each of your team accomplished to give us our company back. Iíve utilized Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This time was the most impressive ever."

Conclusion
A potential business-ending disaster was averted with dedicated professionals, a wide array of technical expertise, and tight teamwork. Although in post mortem the ransomware virus incident detailed here should have been identified and blocked with modern security systems and recognized best practices, user and IT administrator training, and appropriate security procedures for data backup and proper patching controls, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thank you for letting me get some sleep after we got through the initial push. Everyone did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Anaheim a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning technology to uncover new strains of ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to automate the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable in-depth security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with legal and industry data protection standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables rapid restoration of vital data, apps and virtual machines that have become unavailable or damaged due to hardware failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver world-class support to set up ProSight DPS to be compliant with government and industry regulatory standards such as HIPAA, FINRA, PCI and Safe Harbor and, when needed, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security companies to deliver web-based control and world-class protection for all your email traffic. The powerful structure of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, track, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, locating devices that require important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT staff and your Progent consultant so that any looming issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Learn more about ProSight IT Asset Management service.
For Anaheim 24x7x365 Ransomware Remediation Experts, call Progent at 800-993-9400 or go to Contact Progent.