Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of crypto-ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict harm. The latest versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily unnamed newcomers, not only do encryption of online data but also infiltrate all available system backups. Data synched to the cloud can also be rendered useless. In a poorly designed environment, this can render automatic restore operations useless and basically sets the entire system back to square one.

Getting back online applications and information following a crypto-ransomware attack becomes a sprint against time as the targeted organization struggles to contain the damage and eradicate the ransomware and to resume mission-critical activity. Since ransomware takes time to spread, assaults are frequently launched during nights and weekends, when penetrations may take longer to uncover. This multiplies the difficulty of rapidly assembling and coordinating a capable mitigation team.

Progent provides a range of solutions for protecting enterprises from ransomware penetrations. These include staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with machine learning technology to intelligently identify and quarantine new threats. Progent in addition offers the services of experienced crypto-ransomware recovery engineers with the skills and perseverance to re-deploy a breached network as soon as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that merciless criminals will provide the keys to decipher any or all of your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the vital components of your Information Technology environment. Absent access to essential information backups, this calls for a wide range of skills, professional project management, and the willingness to work continuously until the task is done.

For twenty years, Progent has provided expert IT services for companies in Vacaville and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience affords Progent the capability to knowledgably identify important systems and integrate the remaining parts of your IT system following a ransomware attack and configure them into an operational system.

Progent's ransomware team of experts has best of breed project management tools to orchestrate the complicated recovery process. Progent understands the importance of acting rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to put key applications back online as soon as humanly possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A client engaged Progent after their company was crashed by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state hackers, suspected of using technology leaked from the United States National Security Agency. Ryuk goes after specific companies with little room for disruption and is among the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago with about 500 staff members. The Ryuk event had frozen all company operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for good luck, but ultimately engaged Progent.


"I canít tell you enough in regards to the help Progent provided us throughout the most critical time of (our) businesses survival. We would have paid the Hackers if not for the confidence the Progent team provided us. The fact that you could get our e-mail system and important servers back into operation sooner than five days was something I thought impossible. Every single expert I interacted with or messaged at Progent was absolutely committed on getting us back online and was working 24/7 to bail us out."

Progent worked hand in hand the client to rapidly determine and prioritize the essential applications that needed to be recovered to make it possible to restart departmental functions:

  • Active Directory
  • Microsoft Exchange
  • MRP System
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by isolating and clearing infected systems. Progent then began the process of bringing back online Microsoft Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the client's accounting and MRP system used SQL Server, which needs Active Directory services for access to the databases.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery on needed applications. All Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Folder Files) on team desktop computers and laptops to recover email messages. A not too old off-line backup of the businesses financials/MRP software made it possible to recover these essential programs back online. Although a large amount of work remained to recover completely from the Ryuk attack, the most important systems were restored rapidly:


"For the most part, the assembly line operation was never shut down and we did not miss any customer sales."

Throughout the next couple of weeks important milestones in the recovery project were accomplished in close collaboration between Progent team members and the client:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Server containing more than 4 million historical emails was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100% restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Most of the user desktops and notebooks were fully operational.

"A lot of what was accomplished in the initial days is nearly entirely a blur for me, but my management will not soon forget the commitment all of your team accomplished to give us our business back. Iíve trusted Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable business catastrophe was dodged due to results-oriented professionals, a broad array of knowledge, and close teamwork. Although in retrospect the ransomware virus attack described here should have been disabled with advanced security systems and best practices, staff training, and well thought out incident response procedures for data protection and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get some sleep after we made it over the most critical parts. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Vacaville a portfolio of remote monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services utilize next-generation machine learning technology to detect zero-day variants of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight DPS automates and monitors your backup processes and enables fast restoration of vital data, applications and VMs that have become lost or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can deliver advanced expertise to configure ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can assist you to recover your business-critical information. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to provide web-based management and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's onsite security gateway device adds a further level of analysis for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their networking hardware like switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that need critical updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the state of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT personnel and your Progent consultant so any potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to 50% of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youíre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Vacaville 24x7 Ransomware Cleanup Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.