Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes unprepared for an attack. Different iterations of ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause harm. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as frequent unnamed newcomers, not only do encryption of online data but also infect many accessible system protection mechanisms. Files synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, this can render any restore operations useless and effectively sets the network back to zero.

Retrieving programs and information after a crypto-ransomware outage becomes a race against time as the targeted business struggles to contain and remove the ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to replicate, attacks are usually sprung at night, when attacks may take more time to notice. This compounds the difficulty of promptly marshalling and coordinating an experienced response team.

Progent provides a variety of help services for securing enterprises from ransomware events. These include staff education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with machine learning capabilities to quickly discover and quarantine day-zero cyber threats. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the talent and perseverance to re-deploy a breached system as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
After a ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to decipher any of your data. Kaspersky determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the key parts of your IT environment. Absent access to complete information backups, this calls for a wide complement of skills, well-coordinated project management, and the capability to work continuously until the job is completed.

For twenty years, Progent has made available expert Information Technology services for companies in Los Angeles and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience affords Progent the skills to rapidly ascertain necessary systems and organize the surviving parts of your computer network system following a ransomware event and assemble them into a functioning system.

Progent's security group utilizes best of breed project management applications to coordinate the complex recovery process. Progent understands the importance of working rapidly and in unison with a client's management and IT team members to assign priority to tasks and to get essential services back on-line as soon as humanly possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A small business hired Progent after their network was taken over by Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored hackers, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk targets specific companies with little room for operational disruption and is among the most lucrative iterations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk event had disabled all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (more than $200,000) and praying for good luck, but ultimately utilized Progent.


"I cannot say enough in regards to the care Progent provided us throughout the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and production applications back online in less than five days was amazing. Each expert I interacted with or messaged at Progent was totally committed on getting us operational and was working all day and night to bail us out."

Progent worked together with the customer to quickly identify and assign priority to the essential services that needed to be restored to make it possible to restart company operations:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes incident mitigation industry best practices by stopping the spread and removing active viruses. Progent then began the task of bringing back online Active Directory, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange email will not work without AD, and the customerís accounting and MRP software used Microsoft SQL Server, which depends on Active Directory services for authentication to the data.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery of critical servers. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to find intact OST data files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover mail messages. A recent off-line backup of the client's financials/MRP systems made them able to return these required services back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, essential services were restored quickly:


"For the most part, the assembly line operation showed little impact and we delivered all customer sales."

Throughout the following month important milestones in the recovery project were completed through close cooperation between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were 100% operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the desktop computers were being used by staff.

"A lot of what transpired those first few days is mostly a blur for me, but my team will not soon forget the care all of the team put in to give us our company back. Iíve entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A possible enterprise-killing disaster was avoided through the efforts of results-oriented professionals, a broad spectrum of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware attack detailed here would have been identified and disabled with advanced cyber security technology and recognized best practices, team training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has proven experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), thanks very much for letting me get some sleep after we made it through the most critical parts. Everyone did an impressive job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Los Angeles a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services include next-generation AI technology to uncover zero-day strains of crypto-ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that helps you demonstrate compliance with government and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery. For a low monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows fast recovery of vital files, apps and VMs that have become lost or corrupted as a result of hardware failures, software glitches, disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, whenever needed, can help you to restore your business-critical information. Read more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver web-based control and world-class security for all your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a deeper level of inspection for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, monitor, enhance and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration of almost all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding appliances that need important software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so any looming issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can save as much as 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Los Angeles 24x7 Ransomware Cleanup Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.