Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses unprepared for an attack. Versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause harm. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as frequent unnamed viruses, not only do encryption of online files but also infect any accessible system restores and backups. Data replicated to cloud environments can also be encrypted. In a poorly designed data protection solution, this can render automated recovery impossible and effectively knocks the entire system back to square one.

Getting back online services and data following a ransomware outage becomes a race against the clock as the targeted business struggles to contain and eradicate the ransomware and to resume business-critical activity. Because ransomware takes time to spread, attacks are frequently launched at night, when penetrations in many cases take more time to notice. This compounds the difficulty of rapidly mobilizing and coordinating a knowledgeable response team.

Progent has a range of services for securing businesses from crypto-ransomware penetrations. Among these are team member education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security gateways with artificial intelligence capabilities to rapidly discover and disable new cyber threats. Progent in addition provides the services of veteran ransomware recovery professionals with the track record and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Help
After a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decipher all your information. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the essential parts of your IT environment. Without access to complete system backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work non-stop until the recovery project is done.

For twenty years, Progent has provided professional IT services for businesses in Salinas and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience affords Progent the capability to quickly ascertain important systems and re-organize the surviving components of your computer network environment after a ransomware penetration and rebuild them into a functioning system.

Progent's security team of experts deploys state-of-the-art project management applications to orchestrate the complex recovery process. Progent understands the importance of acting quickly and in unison with a customerís management and Information Technology resources to prioritize tasks and to put critical applications back on line as soon as possible.

Client Case Study: A Successful Ransomware Attack Recovery
A customer hired Progent after their company was brought down by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored hackers, suspected of adopting strategies exposed from the United States NSA organization. Ryuk seeks specific companies with little room for operational disruption and is among the most lucrative instances of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has around 500 employees. The Ryuk event had shut down all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.


"I canít speak enough about the expertise Progent provided us during the most fearful time of (our) companyís existence. We most likely would have paid the cybercriminals if it wasnít for the confidence the Progent team gave us. That you could get our messaging and essential servers back online quicker than one week was incredible. Every single staff member I got help from or e-mailed at Progent was amazingly focused on getting our system up and was working day and night on our behalf."

Progent worked with the client to rapidly identify and prioritize the critical areas that had to be recovered in order to continue business functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent followed ransomware penetration mitigation best practices by stopping lateral movement and removing active viruses. Progent then initiated the steps of bringing back online Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange email will not function without AD, and the customerís financials and MRP system used Microsoft SQL, which needs Active Directory for security authorization to the information.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then initiated reinstallations and hard drive recovery of mission critical systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on staff PCs in order to recover email messages. A not too old offline backup of the businesses financials/MRP software made them able to return these vital services back servicing users. Although major work remained to recover totally from the Ryuk damage, critical systems were returned to operations rapidly:


"For the most part, the assembly line operation did not miss a beat and we produced all customer orders."

During the following few weeks critical milestones in the recovery project were accomplished in tight cooperation between Progent team members and the customer:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the user workstations were being used by staff.

"So much of what transpired in the initial days is mostly a fog for me, but we will not soon forget the countless hours all of your team accomplished to give us our business back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has come through and delivered as promised. This time was a stunning achievement."

Conclusion
A potential company-ending disaster was averted by hard-working experts, a wide spectrum of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware penetration detailed here should have been identified and blocked with advanced security systems and best practices, user and IT administrator training, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for letting me get rested after we made it over the initial fire. All of you did an amazing job, and if any of your guys is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Salinas a range of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation AI capability to uncover new strains of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to manage the complete malware attack progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your organization's unique needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow non-disruptive backup and fast restoration of critical files/folders, apps, images, plus VMs. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security vendors to deliver web-based management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps most threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the local gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, enhance and debug their networking hardware like routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration of virtually all devices on your network, tracks performance, and sends alerts when issues are detected. By automating tedious network management activities, WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding devices that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management staff and your Progent consultant so that any potential issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to defend endpoints as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to automate the entire malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Help Desk managed services permit your information technology team to offload Call Center services to Progent or split activity for Service Desk support transparently between your in-house network support resources and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth extension of your in-house network support group. End user access to the Help Desk, delivery of support services, escalation, trouble ticket creation and tracking, efficiency metrics, and maintenance of the support database are consistent regardless of whether issues are taken care of by your internal support staff, by Progent's team, or both. Find out more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of all sizes a versatile and affordable alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT network. Besides maximizing the security and functionality of your IT network, Progent's patch management services permit your in-house IT staff to focus on line-of-business initiatives and tasks that deliver maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation with iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are asked to confirm who you are on a unit that only you have and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized as this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate several verification devices. To find out more about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.
For 24x7x365 Salinas CryptoLocker Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.