Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an extinction-level danger for organizations unprepared for an assault. Multiple generations of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as frequent as yet unnamed malware, not only encrypt on-line data files but also infiltrate most available system backup. Data synched to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, it can render any recovery useless and basically knocks the datacenter back to square one.

Getting back online applications and data following a ransomware event becomes a race against the clock as the victim tries its best to stop lateral movement and remove the virus and to resume business-critical activity. Due to the fact that ransomware requires time to replicate, assaults are often launched on weekends, when successful penetrations tend to take longer to notice. This compounds the difficulty of rapidly mobilizing and organizing a capable mitigation team.

Progent has an assortment of help services for securing enterprises from ransomware attacks. These include staff training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security solutions with machine learning technology to intelligently discover and extinguish zero-day cyber attacks. Progent also offers the assistance of seasoned crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised environment as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the codes to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the essential parts of your Information Technology environment. Absent the availability of essential data backups, this calls for a wide range of skill sets, top notch team management, and the capability to work non-stop until the task is completed.

For decades, Progent has made available expert IT services for businesses in Oakland and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably identify important systems and organize the remaining components of your IT environment following a ransomware event and assemble them into a functioning system.

Progent's recovery team uses best of breed project management tools to orchestrate the complicated recovery process. Progent appreciates the importance of acting rapidly and in unison with a customerís management and Information Technology staff to prioritize tasks and to get critical applications back on-line as fast as possible.

Customer Case Study: A Successful Ransomware Attack Recovery
A customer sought out Progent after their organization was brought down by the Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored cybercriminals, suspected of using strategies exposed from the U.S. National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is among the most lucrative incarnations of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area with around 500 employees. The Ryuk attack had shut down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.


"I canít speak enough in regards to the support Progent provided us during the most critical period of (our) businesses existence. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. That you could get our e-mail and key applications back quicker than seven days was incredible. Every single person I worked with or texted at Progent was hell bent on getting us back on-line and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly assess and assign priority to the essential elements that had to be restored to make it possible to continue company functions:

  • Active Directory
  • Electronic Messaging
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and clearing infected systems. Progent then started the task of bringing back online Windows Active Directory, the core of enterprise environments built on Microsoft Windows technology. Exchange email will not work without Windows AD, and the client's financials and MRP applications used Microsoft SQL, which requires Active Directory services for security authorization to the data.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then helped perform rebuilding and hard drive recovery on needed systems. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on user PCs in order to recover mail messages. A not too old offline backup of the businesses financials/ERP software made it possible to recover these required programs back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, core systems were restored quickly:


"For the most part, the assembly line operation was never shut down and we did not miss any customer sales."

Throughout the following month key milestones in the restoration process were achieved in close collaboration between Progent consultants and the customer:

  • In-house web applications were brought back up with no loss of data.
  • The MailStore Server containing more than four million archived messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were fully functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • 90% of the user PCs were being used by staff.

"Much of what happened in the early hours is mostly a blur for me, but my team will not soon forget the care all of the team put in to help get our business back. I have entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A probable business-ending catastrophe was averted with hard-working experts, a wide range of subject matter expertise, and close collaboration. Although in retrospect the ransomware incident detailed here would have been identified and blocked with current security technology and best practices, user training, and well designed security procedures for data backup and proper patching controls, the reality is that state-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), Iím grateful for letting me get some sleep after we made it past the initial push. All of you did an impressive effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Oakland a range of remote monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation AI technology to detect zero-day variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely escape traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to automate the entire malware attack lifecycle including blocking, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer economical in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates your backup activities and allows rapid recovery of critical files, applications and virtual machines that have become unavailable or damaged as a result of component failures, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can provide world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can help you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, track, optimize and debug their connectivity appliances like switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are always updated, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when issues are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating appliances that require important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT management staff and your Progent consultant so that all potential issues can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can save as much as half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For 24-7 Oakland Crypto Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.