Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Versions of ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus additional unnamed newcomers, not only encrypt online data but also infiltrate any accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, it can render any restore operations hopeless and effectively sets the network back to zero.

Getting back online applications and data following a crypto-ransomware attack becomes a sprint against time as the victim struggles to contain the damage and remove the ransomware and to resume business-critical activity. Because crypto-ransomware requires time to spread, attacks are frequently launched on weekends, when successful penetrations typically take more time to identify. This compounds the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.

Progent has a variety of services for securing enterprises from crypto-ransomware penetrations. Among these are team education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with artificial intelligence capabilities to quickly identify and quarantine new cyber attacks. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery consultants with the talent and perseverance to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the needed codes to decrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the critical parts of your IT environment. Without the availability of full system backups, this requires a wide complement of skill sets, top notch team management, and the ability to work non-stop until the job is done.

For decades, Progent has offered certified expert IT services for companies in Oakland and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise affords Progent the ability to knowledgably understand necessary systems and re-organize the surviving parts of your IT system following a ransomware attack and configure them into an operational system.

Progent's security team has best of breed project management tools to coordinate the complicated restoration process. Progent knows the importance of acting rapidly and in concert with a customerís management and Information Technology staff to assign priority to tasks and to get key applications back on line as soon as humanly possible.

Client Story: A Successful Ransomware Incident Restoration
A customer engaged Progent after their network system was crashed by Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored hackers, suspected of adopting algorithms leaked from the United States NSA organization. Ryuk targets specific companies with little or no tolerance for operational disruption and is among the most lucrative iterations of ransomware malware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing capabilities. Most of the client's system backups had been online at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for the best, but in the end brought in Progent.


"I cannot thank you enough about the expertise Progent gave us throughout the most critical time of (our) companyís existence. We may have had to pay the criminal gangs except for the confidence the Progent team afforded us. That you were able to get our e-mail system and key servers back quicker than 1 week was amazing. Each staff member I interacted with or texted at Progent was urgently focused on getting my company operational and was working at all hours on our behalf."

Progent worked hand in hand the client to rapidly determine and prioritize the key applications that needed to be restored in order to resume company functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting/MRP
To get going, Progent adhered to ransomware penetration response best practices by halting lateral movement and cleaning systems of viruses. Progent then started the process of restoring Windows Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not function without AD, and the client's financials and MRP system utilized Microsoft SQL, which needs Active Directory for access to the information.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery of critical applications. All Exchange data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find intact OST files (Microsoft Outlook Off-Line Data Files) on staff desktop computers in order to recover email messages. A not too old offline backup of the customerís financials/ERP software made them able to restore these vital services back online for users. Although a large amount of work was left to recover completely from the Ryuk virus, essential systems were recovered quickly:


"For the most part, the production manufacturing operation was never shut down and we made all customer deliverables."

During the following month key milestones in the recovery process were completed through tight cooperation between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 firewall was deployed.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what went on in the initial days is nearly entirely a blur for me, but my team will not soon forget the dedication all of you accomplished to help get our business back. I have trusted Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This time was the most impressive ever."

Conclusion
A possible company-ending catastrophe was dodged with dedicated professionals, a broad array of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus attack detailed here should have been stopped with up-to-date security solutions and security best practices, team education, and properly executed security procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get rested after we made it through the initial fire. Everyone did an amazing effort, and if any of your guys is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Oakland a portfolio of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to detect zero-day strains of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. ProSight ASM protects local and cloud resources and provides a single platform to manage the complete threat progression including protection, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your company's unique needs and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software companies to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service. ProSight DPS services automate and track your backup operations and enable transparent backup and fast restoration of critical files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human error, malicious employees, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to deliver centralized management and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, monitor, optimize and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding appliances that require critical updates, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT personnel and your Progent consultant so that any potential problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can save up to 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior analysis tools to guard endpoints as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. Progent ASM services protect local and cloud-based resources and provides a single platform to address the complete threat lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Help Center managed services permit your information technology staff to outsource Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house support resources and Progent's nationwide pool of certified IT service engineers and subject matter experts (SBEs). Progent's Shared Service Desk provides a transparent extension of your in-house support resources. Client interaction with the Help Desk, delivery of support services, issue escalation, trouble ticket creation and updates, performance metrics, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your core support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. In addition to optimizing the security and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to concentrate on more strategic projects and activities that deliver the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With 2FA, when you log into a secured application and enter your password you are asked to verify who you are via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used as this second form of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. For details about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24-Hour Oakland Ransomware Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.