Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for organizations unprepared for an assault. Multiple generations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict harm. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus additional unnamed viruses, not only encrypt on-line information but also infect most available system backup. Data synched to the cloud can also be corrupted. In a poorly designed system, it can render any restoration useless and basically sets the network back to zero.

Getting back on-line services and information following a ransomware attack becomes a race against time as the targeted business fights to contain the damage and clear the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are usually launched during nights and weekends, when attacks may take more time to identify. This multiplies the difficulty of quickly mobilizing and organizing an experienced mitigation team.

Progent has an assortment of support services for securing enterprises from ransomware penetrations. These include team training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with artificial intelligence capabilities to rapidly discover and suppress day-zero threats. Progent in addition can provide the services of seasoned ransomware recovery consultants with the talent and perseverance to rebuild a breached environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will return the needed keys to decipher any or all of your information. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the vital components of your Information Technology environment. Absent access to essential data backups, this calls for a broad range of skill sets, professional team management, and the ability to work 24x7 until the recovery project is finished.

For decades, Progent has offered expert IT services for businesses in Anaheim and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of experience gives Progent the ability to rapidly determine critical systems and consolidate the remaining pieces of your IT environment after a ransomware event and rebuild them into an operational system.

Progent's security group has best of breed project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working swiftly and in unison with a client's management and IT staff to prioritize tasks and to get essential systems back on-line as fast as possible.

Customer Case Study: A Successful Ransomware Intrusion Recovery
A small business escalated to Progent after their company was attacked by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state sponsored hackers, possibly using techniques leaked from the U.S. National Security Agency. Ryuk goes after specific companies with little or no tolerance for disruption and is one of the most lucrative instances of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with about 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I canít tell you enough in regards to the care Progent provided us throughout the most critical period of (our) companyís existence. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent team gave us. That you could get our e-mail and key servers back on-line sooner than a week was something I thought impossible. Every single expert I got help from or messaged at Progent was absolutely committed on getting us back online and was working all day and night on our behalf."

Progent worked with the client to quickly assess and assign priority to the most important areas that needed to be addressed in order to continue company functions:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To start, Progent followed Anti-virus incident mitigation industry best practices by isolating and clearing up compromised systems. Progent then began the process of recovering Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange email will not operate without AD, and the businessesí financials and MRP applications leveraged SQL Server, which needs Active Directory for authentication to the databases.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on the most important applications. All Microsoft Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Folder Files) on team PCs and laptops to recover mail data. A not too old off-line backup of the customerís accounting/MRP systems made it possible to restore these essential services back servicing users. Although a lot of work needed to be completed to recover totally from the Ryuk virus, critical services were recovered quickly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer orders."

Over the next month important milestones in the recovery project were made in tight cooperation between Progent consultants and the client:

  • In-house web applications were restored with no loss of information.
  • The MailStore Server exceeding 4 million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user desktops and notebooks were operational.

"A lot of what transpired that first week is nearly entirely a haze for me, but my management will not forget the dedication each of you put in to help get our business back. I have been working with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A probable enterprise-killing catastrophe was averted through the efforts of results-oriented experts, a broad spectrum of IT skills, and tight teamwork. Although in hindsight the crypto-ransomware virus penetration detailed here would have been disabled with current cyber security solutions and security best practices, user training, and well thought out incident response procedures for information protection and proper patching controls, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), Iím grateful for letting me get some sleep after we got past the first week. Everyone did an fabulous job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Anaheim a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day strains of ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with legal and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate action. Progent's consultants can also assist you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery. For a low monthly price, ProSight DPS automates your backup activities and enables rapid recovery of critical files, applications and virtual machines that have become unavailable or damaged as a result of hardware breakdowns, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can deliver advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top data security companies to deliver web-based control and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, enhance and debug their networking hardware such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management and troubleshooting activities, WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding appliances that need important updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT management staff and your Progent engineering consultant so that any potential problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.
For 24x7 Anaheim Crypto-Ransomware Recovery Support Services, contact Progent at 800-993-9400 or go to Contact Progent.