Ransomware : Your Worst IT Disaster
Ransomware  Remediation ConsultantsRansomware has become an escalating cyber pandemic that presents an enterprise-level threat for organizations poorly prepared for an attack. Different iterations of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. The latest versions of ransomware like Ryuk and Hermes, plus additional as yet unnamed newcomers, not only do encryption of online files but also infect any configured system restores and backups. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly designed system, this can make automatic restoration hopeless and basically knocks the entire system back to zero.

Recovering services and information after a crypto-ransomware outage becomes a sprint against the clock as the targeted organization struggles to stop the spread and eradicate the virus and to restore business-critical operations. Since ransomware requires time to spread, attacks are usually sprung on weekends, when penetrations typically take longer to detect. This compounds the difficulty of quickly mobilizing and organizing a capable response team.

Progent provides a range of support services for securing enterprises from ransomware penetrations. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with AI technology to quickly discover and disable day-zero cyber threats. Progent in addition offers the assistance of expert ransomware recovery consultants with the track record and commitment to reconstruct a breached network as soon as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the keys to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the key elements of your Information Technology environment. Without access to essential information backups, this calls for a broad range of skill sets, top notch project management, and the ability to work 24x7 until the job is done.

For decades, Progent has offered expert Information Technology services for businesses in Mission Viejo and throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of expertise affords Progent the skills to knowledgably understand critical systems and consolidate the surviving pieces of your Information Technology environment after a ransomware penetration and rebuild them into a functioning system.

Progent's ransomware team of experts has best of breed project management tools to orchestrate the complicated recovery process. Progent understands the importance of acting quickly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get key systems back on line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Virus Response
A business contacted Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, suspected of using algorithms leaked from Americaís National Security Agency. Ryuk goes after specific organizations with limited room for disruption and is among the most lucrative versions of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and praying for the best, but ultimately made the decision to use Progent.


"I canít say enough in regards to the expertise Progent provided us throughout the most stressful time of (our) companyís life. We may have had to pay the cyber criminals behind the attack if it wasnít for the confidence the Progent team provided us. The fact that you were able to get our e-mail and production servers back online faster than a week was something I thought impossible. Every single expert I worked with or e-mailed at Progent was laser focused on getting our company operational and was working 24/7 on our behalf."

Progent worked hand in hand the client to quickly get our arms around and assign priority to the essential systems that needed to be addressed in order to restart business functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then began the work of rebuilding Microsoft AD, the core of enterprise systems built on Microsoft technology. Exchange messaging will not function without Active Directory, and the businessesí accounting and MRP applications leveraged SQL Server, which depends on Active Directory services for access to the information.

Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then performed rebuilding and hard drive recovery of key systems. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Offline Folder Files) on staff desktop computers and laptops to recover email data. A recent off-line backup of the customerís financials/ERP software made them able to recover these required services back servicing users. Although significant work remained to recover fully from the Ryuk attack, essential services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer shipments."

During the following few weeks important milestones in the recovery process were completed through close cooperation between Progent engineers and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding 4 million archived messages was spun up and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were fully recovered.
  • A new Palo Alto 850 security appliance was installed and configured.
  • 90% of the desktops and laptops were fully operational.

"So much of what was accomplished in the initial days is nearly entirely a haze for me, but my team will not forget the countless hours each of you accomplished to give us our company back. I have trusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a life saver."

Conclusion
A potential business-killing catastrophe was dodged by top-tier experts, a wide range of knowledge, and tight teamwork. Although in retrospect the crypto-ransomware virus attack described here should have been identified and stopped with current cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and appropriate incident response procedures for backup and applying software patches, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we made it past the most critical parts. All of you did an amazing effort, and if any of your team is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Mission Viejo a portfolio of remote monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services include next-generation machine learning capability to uncover zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and offers a single platform to manage the entire threat progression including blocking, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, device control, and web filtering through cutting-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you prove compliance with legal and industry information security regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight DPS automates and monitors your backup activities and enables fast recovery of critical files, applications and virtual machines that have become unavailable or damaged due to hardware failures, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security companies to deliver web-based management and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper level of inspection for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their connectivity appliances like routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding appliances that require important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your Progent consultant so that all looming issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can save up to 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Learn more about ProSight IT Asset Management service.
For Mission Viejo 24-Hour CryptoLocker Cleanup Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.