Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that poses an existential threat for businesses vulnerable to an assault. Different versions of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to inflict destruction. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with daily unnamed viruses, not only do encryption of on-line critical data but also infiltrate any available system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can make automated recovery impossible and basically knocks the datacenter back to square one.

Getting back services and data after a crypto-ransomware event becomes a sprint against time as the victim tries its best to stop the spread and eradicate the ransomware and to resume mission-critical activity. Because ransomware takes time to move laterally, attacks are often sprung during weekends and nights, when penetrations may take longer to discover. This compounds the difficulty of quickly marshalling and organizing a capable mitigation team.

Progent has a range of services for protecting businesses from crypto-ransomware attacks. Among these are team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with AI capabilities to automatically identify and disable new cyber attacks. Progent in addition offers the assistance of veteran ransomware recovery professionals with the skills and perseverance to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a ransomware attack, even paying the ransom in cryptocurrency does not ensure that merciless criminals will return the codes to decrypt any of your data. Kaspersky estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the critical elements of your IT environment. Without the availability of complete system backups, this calls for a wide complement of skill sets, professional project management, and the ability to work continuously until the task is done.

For twenty years, Progent has provided expert IT services for companies in Anaheim and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise affords Progent the capability to efficiently understand important systems and consolidate the surviving components of your network system following a crypto-ransomware event and configure them into a functioning system.

Progent's recovery team has state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent appreciates the importance of working quickly and in concert with a customerís management and IT resources to prioritize tasks and to get key systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Virus Restoration
A business contacted Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state criminal gangs, suspected of adopting techniques exposed from Americaís National Security Agency. Ryuk goes after specific businesses with limited tolerance for disruption and is one of the most lucrative versions of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with about 500 staff members. The Ryuk event had frozen all business operations and manufacturing processes. The majority of the client's backups had been online at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom (exceeding $200,000) and hoping for the best, but ultimately reached out to Progent.


"I canít speak enough in regards to the expertise Progent provided us during the most critical time of (our) businesses survival. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you could get our messaging and key servers back sooner than one week was earth shattering. Each expert I talked with or communicated with at Progent was laser focused on getting our company operational and was working all day and night on our behalf."

Progent worked with the client to rapidly determine and prioritize the most important elements that had to be recovered to make it possible to continue departmental functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Financials/MRP
To get going, Progent adhered to ransomware event mitigation best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the steps of recovering Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the businessesí financials and MRP applications used SQL Server, which depends on Windows AD for access to the information.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then performed rebuilding and hard drive recovery of key servers. All Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Data Files) on staff PCs to recover email data. A not too old offline backup of the businesses accounting/ERP systems made them able to restore these essential applications back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, the most important services were recovered quickly:


"For the most part, the production operation did not miss a beat and we produced all customer deliverables."

Over the following few weeks important milestones in the recovery process were made through tight collaboration between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than four million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control functions were fully functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"Much of what was accomplished in the early hours is mostly a blur for me, but our team will not forget the urgency each of your team accomplished to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable company-ending disaster was evaded due to results-oriented experts, a broad range of knowledge, and close collaboration. Although in retrospect the crypto-ransomware attack described here should have been identified and blocked with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for backup and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has proven experience in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thank you for letting me get some sleep after we got through the initial push. Everyone did an incredible job, and if any of your guys is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Anaheim a portfolio of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include next-generation machine learning capability to detect new variants of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the complete malware attack progression including blocking, identification, mitigation, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a unified control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent's consultants can also help your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup activities and enables fast recovery of critical data, apps and VMs that have become lost or corrupted due to hardware breakdowns, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to restore your business-critical information. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide centralized management and comprehensive security for your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of analysis for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, monitor, enhance and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex network management activities, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating appliances that need important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your network running efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT personnel and your assigned Progent consultant so that all potential problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about ProSight IT Asset Management service.
For 24x7x365 Anaheim Ransomware Repair Consulting, contact Progent at 800-993-9400 or go to Contact Progent.