Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Different versions of ransomware like the Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, plus daily unnamed malware, not only encrypt online data but also infect most available system protection. Data synched to cloud environments can also be corrupted. In a poorly designed environment, this can render automated recovery hopeless and basically knocks the entire system back to square one.

Restoring programs and data after a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and eradicate the crypto-ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware takes time to move laterally, penetrations are frequently sprung on weekends and holidays, when penetrations typically take more time to discover. This compounds the difficulty of quickly assembling and orchestrating an experienced mitigation team.

Progent provides a variety of services for securing businesses from ransomware penetrations. These include user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with artificial intelligence capabilities to rapidly identify and suppress new cyber threats. Progent in addition can provide the services of veteran ransomware recovery consultants with the skills and commitment to rebuild a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
After a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the keys to decipher all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the vital elements of your IT environment. Without the availability of full information backups, this calls for a broad complement of skill sets, top notch team management, and the ability to work non-stop until the task is finished.

For decades, Progent has made available professional IT services for businesses in Vacaville and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the skills to knowledgably ascertain important systems and re-organize the remaining parts of your computer network environment following a crypto-ransomware penetration and rebuild them into a functioning network.

Progent's security team of experts uses top notch project management applications to coordinate the complex restoration process. Progent understands the urgency of working rapidly and together with a client's management and Information Technology staff to prioritize tasks and to put the most important services back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Incident Response
A small business engaged Progent after their network system was attacked by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state hackers, suspected of using approaches exposed from the United States National Security Agency. Ryuk attacks specific businesses with little tolerance for disruption and is one of the most lucrative iterations of crypto-ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in the Chicago metro area with around 500 workers. The Ryuk penetration had shut down all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the time of the intrusion and were destroyed. The client considered paying the ransom (exceeding $200K) and praying for good luck, but in the end brought in Progent.


"I canít tell you enough about the expertise Progent gave us during the most critical time of (our) businesses life. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent group afforded us. That you could get our messaging and key applications back sooner than 1 week was earth shattering. Each person I got help from or e-mailed at Progent was hell bent on getting us operational and was working at all hours on our behalf."

Progent worked together with the client to quickly determine and prioritize the mission critical elements that had to be recovered in order to continue departmental functions:

  • Active Directory (AD)
  • Electronic Mail
  • Financials/MRP
To start, Progent adhered to ransomware incident mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then started the steps of rebuilding Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without Windows AD, and the businessesí MRP software utilized Microsoft SQL, which depends on Active Directory for access to the database.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery of needed systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Email Offline Data Files) on user desktop computers and laptops to recover email information. A recent off-line backup of the client's financials/ERP software made them able to recover these vital services back available to users. Although major work was left to recover completely from the Ryuk attack, core services were returned to operations rapidly:


"For the most part, the production operation did not miss a beat and we delivered all customer sales."

During the following month important milestones in the restoration project were accomplished through close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Exchange Server exceeding four million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the desktops and laptops were fully operational.

"A huge amount of what was accomplished in the initial days is nearly entirely a fog for me, but I will not soon forget the countless hours each and every one of the team accomplished to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A probable enterprise-killing catastrophe was avoided due to top-tier professionals, a wide spectrum of knowledge, and close collaboration. Although in hindsight the crypto-ransomware virus attack described here should have been identified and stopped with modern cyber security technology and ISO/IEC 27001 best practices, staff training, and well designed security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we got past the initial push. Everyone did an incredible job, and if anyone is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Vacaville a range of remote monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services utilize next-generation AI technology to detect new variants of crypto-ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily evade legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the complete threat progression including protection, detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you prove compliance with government and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates and monitors your backup processes and enables fast restoration of critical data, apps and VMs that have become unavailable or corrupted as a result of hardware failures, software bugs, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR consultants can provide advanced support to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based control and comprehensive security for all your email traffic. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, enhance and debug their connectivity appliances like switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex management processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, locating devices that require important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so all potential problems can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7 Vacaville Ransomware Recovery Consultants, contact Progent at 800-993-9400 or go to Contact Progent.