Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that poses an enterprise-level danger for organizations poorly prepared for an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as daily unnamed newcomers, not only do encryption of on-line information but also infect many available system backup. Data replicated to cloud environments can also be rendered useless. In a vulnerable data protection solution, this can render automated recovery impossible and effectively sets the datacenter back to square one.

Getting back on-line applications and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain and eradicate the ransomware and to resume business-critical activity. Because ransomware takes time to spread, attacks are often sprung on weekends and holidays, when successful penetrations may take more time to notice. This multiplies the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent has a range of services for securing businesses from crypto-ransomware attacks. Among these are user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning technology to rapidly identify and disable day-zero threats. Progent in addition offers the services of expert ransomware recovery engineers with the skills and commitment to reconstruct a compromised environment as quickly as possible.

Progent's Ransomware Recovery Support Services
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will provide the codes to unencrypt all your information. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the mission-critical components of your IT environment. Absent the availability of full system backups, this requires a broad range of IT skills, professional team management, and the ability to work non-stop until the task is finished.

For decades, Progent has provided expert Information Technology services for businesses in Vacaville and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of expertise affords Progent the ability to knowledgably identify necessary systems and organize the remaining pieces of your computer network system following a crypto-ransomware penetration and rebuild them into an operational system.

Progent's recovery team utilizes top notch project management tools to orchestrate the sophisticated recovery process. Progent knows the importance of working swiftly and in unison with a customerís management and IT staff to prioritize tasks and to put essential applications back on line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Virus Response
A small business escalated to Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of adopting techniques exposed from Americaís National Security Agency. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is one of the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with about 500 staff members. The Ryuk event had brought down all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and praying for the best, but ultimately utilized Progent.


"I canít thank you enough in regards to the expertise Progent gave us throughout the most fearful period of (our) companyís survival. We most likely would have paid the Hackers except for the confidence the Progent group gave us. That you were able to get our e-mail and important applications back on-line quicker than five days was something I thought impossible. Every single expert I worked with or communicated with at Progent was amazingly focused on getting us restored and was working 24 by 7 on our behalf."

Progent worked with the client to rapidly understand and assign priority to the key elements that had to be recovered in order to resume company operations:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To get going, Progent adhered to Anti-virus penetration mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then started the task of restoring Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not operate without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL, which needs Active Directory services for authentication to the information.

In less than 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then completed reinstallations and hard drive recovery on key systems. All Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Off-Line Folder Files) on various workstations and laptops in order to recover email messages. A recent offline backup of the businesses accounting/MRP systems made it possible to return these vital services back servicing users. Although a large amount of work was left to recover fully from the Ryuk virus, essential systems were returned to operations quickly:


"For the most part, the assembly line operation survived unscathed and we made all customer orders."

During the following couple of weeks critical milestones in the recovery project were made in tight cooperation between Progent engineers and the customer:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were fully operational.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the user desktops were operational.

"Much of what occurred in the early hours is mostly a fog for me, but we will not soon forget the countless hours each and every one of the team accomplished to help get our business back. I have trusted Progent for the past ten years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was a Herculean accomplishment."

Conclusion
A probable business-ending catastrophe was evaded through the efforts of dedicated professionals, a broad range of IT skills, and close collaboration. Although in post mortem the crypto-ransomware penetration detailed here should have been identified and stopped with modern security solutions and ISO/IEC 27001 best practices, team education, and well designed incident response procedures for data backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for letting me get some sleep after we made it past the initial push. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Vacaville a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services incorporate next-generation AI capability to detect new variants of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to manage the complete malware attack lifecycle including protection, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry data protection standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also assist you to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates and monitors your backup activities and allows rapid restoration of vital files, apps and VMs that have become lost or damaged due to component breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's BDR specialists can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to provide centralized control and comprehensive security for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further layer of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map, monitor, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating complex network management activities, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, finding devices that require critical software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management personnel and your Progent engineering consultant so all potential problems can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Vacaville Crypto-Ransomware Cleanup Support Services, call Progent at 800-462-8800 or go to Contact Progent.