Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that represents an extinction-level danger for organizations vulnerable to an assault. Multiple generations of ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to inflict damage. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as more unnamed viruses, not only do encryption of on-line files but also infiltrate many available system restores and backups. Information synched to cloud environments can also be corrupted. In a vulnerable data protection solution, this can render any recovery useless and basically knocks the entire system back to zero.

Restoring programs and data following a ransomware outage becomes a race against the clock as the targeted organization fights to stop lateral movement and remove the ransomware and to restore mission-critical operations. Since crypto-ransomware takes time to replicate, assaults are frequently launched at night, when successful attacks are likely to take more time to notice. This multiplies the difficulty of promptly assembling and organizing a capable mitigation team.

Progent offers an assortment of services for protecting businesses from ransomware attacks. These include team education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with AI technology to intelligently discover and suppress day-zero cyber threats. Progent in addition offers the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to reconstruct a breached system as urgently as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware event, even paying the ransom in cryptocurrency does not ensure that merciless criminals will return the codes to decipher any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the key parts of your Information Technology environment. Without the availability of essential data backups, this requires a broad range of IT skills, professional project management, and the capability to work non-stop until the recovery project is done.

For twenty years, Progent has offered certified expert IT services for businesses in San Diego and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise affords Progent the skills to knowledgably determine important systems and organize the surviving pieces of your Information Technology system after a crypto-ransomware event and configure them into an operational system.

Progent's recovery group deploys best of breed project management applications to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and in unison with a customerís management and IT staff to assign priority to tasks and to get key services back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A small business sought out Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly adopting technology leaked from Americaís NSA organization. Ryuk seeks specific businesses with little or no tolerance for disruption and is among the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk attack had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200K) and praying for good luck, but in the end made the decision to use Progent.


"I canít speak enough in regards to the help Progent gave us throughout the most fearful period of (our) companyís survival. We would have paid the cybercriminals if not for the confidence the Progent group gave us. The fact that you were able to get our messaging and important applications back on-line faster than seven days was amazing. Each consultant I got help from or messaged at Progent was urgently focused on getting my company operational and was working 24/7 to bail us out."

Progent worked with the client to quickly identify and assign priority to the critical systems that needed to be recovered in order to restart company operations:

  • Microsoft Active Directory
  • E-Mail
  • MRP System
To start, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the work of recovering Windows Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the client's accounting and MRP software leveraged Microsoft SQL, which needs Windows AD for authentication to the data.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then completed rebuilding and hard drive recovery of the most important applications. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Offline Data Files) on user workstations to recover mail data. A recent off-line backup of the customerís manufacturing systems made it possible to return these vital programs back online for users. Although major work still had to be done to recover totally from the Ryuk virus, core services were returned to operations rapidly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer orders."

During the following month critical milestones in the recovery project were achieved through tight collaboration between Progent consultants and the customer:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Server containing more than 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control modules were completely operational.
  • A new Palo Alto 850 firewall was installed.
  • Ninety percent of the user workstations were functioning as before the incident.

"Much of what happened those first few days is mostly a haze for me, but we will not forget the care each of you put in to give us our company back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered. This event was a Herculean accomplishment."

Conclusion
A potential business extinction catastrophe was evaded through the efforts of dedicated experts, a broad range of technical expertise, and tight collaboration. Although in hindsight the crypto-ransomware attack detailed here would have been stopped with advanced cyber security systems and ISO/IEC 27001 best practices, team education, and properly executed security procedures for information protection and applying software patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), Iím grateful for making it so I could get some sleep after we made it past the initial push. All of you did an incredible job, and if anyone is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in San Diego a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation AI capability to detect new variants of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to automate the entire threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's specific requirements and that allows you prove compliance with legal and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and allow transparent backup and fast restoration of vital files, apps, system images, and VMs. ProSight DPS helps you recover from data loss resulting from hardware failures, natural calamities, fire, malware such as ransomware, human mistakes, ill-intentioned insiders, or application bugs. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to provide web-based management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of analysis for inbound email. For outgoing email, the local gateway provides AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, track, reconfigure and debug their networking appliances such as routers, firewalls, and access points plus servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when problems are detected. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your Progent engineering consultant so that any looming issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved easily to a different hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning technology to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud-based resources and offers a unified platform to address the complete threat progression including filtering, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Center: Call Center Managed Services
    Progent's Support Center managed services enable your IT staff to offload Support Desk services to Progent or divide responsibilities for support services seamlessly between your internal support group and Progent's extensive roster of IT service engineers and subject matter experts (SBEs). Progent's Shared Help Desk Service provides a seamless supplement to your internal IT support resources. End user access to the Help Desk, provision of support, problem escalation, trouble ticket generation and updates, performance metrics, and maintenance of the support database are cohesive whether issues are resolved by your core network support group, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and documenting updates to your dynamic IT system. Besides maximizing the security and functionality of your IT network, Progent's patch management services allow your in-house IT team to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity confirmation with iOS, Android, and other personal devices. With Duo 2FA, when you sign into a secured application and give your password you are asked to confirm who you are on a device that only you have and that uses a different network channel. A broad range of devices can be utilized as this second means of authentication such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate several validation devices. For details about ProSight Duo identity validation services, go to Duo MFA two-factor authentication services for access security.
For San Diego 24-7 Crypto-Ransomware Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.