Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes unprepared for an attack. Versions of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, along with daily unnamed malware, not only encrypt online critical data but also infect any accessible system backup. Files synchronized to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can make any restore operations useless and effectively sets the datacenter back to zero.

Restoring programs and information after a ransomware attack becomes a race against the clock as the targeted organization fights to contain the damage and remove the virus and to resume enterprise-critical operations. Because crypto-ransomware requires time to spread, attacks are often sprung during nights and weekends, when successful attacks typically take longer to notice. This compounds the difficulty of promptly assembling and organizing a knowledgeable mitigation team.

Progent offers a range of solutions for protecting organizations from ransomware events. Among these are staff training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security solutions with machine learning capabilities to automatically identify and extinguish day-zero cyber attacks. Progent in addition offers the assistance of expert crypto-ransomware recovery consultants with the track record and perseverance to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decipher any or all of your information. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to piece back together the vital components of your Information Technology environment. Absent access to full data backups, this requires a wide complement of skill sets, well-coordinated project management, and the ability to work continuously until the job is done.

For twenty years, Progent has offered professional IT services for companies in Mission Viejo and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise provides Progent the ability to quickly identify important systems and integrate the surviving parts of your IT system following a crypto-ransomware attack and rebuild them into an operational network.

Progent's security team utilizes state-of-the-art project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in unison with a client's management and Information Technology resources to prioritize tasks and to put essential services back online as soon as possible.

Client Case Study: A Successful Ransomware Attack Response
A client sought out Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state cybercriminals, suspected of using algorithms exposed from the United States National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is one of the most profitable instances of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago and has around 500 staff members. The Ryuk attack had shut down all company operations and manufacturing processes. The majority of the client's system backups had been on-line at the time of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and praying for the best, but ultimately utilized Progent.


"I canít speak enough about the help Progent provided us throughout the most critical time of (our) companyís survival. We had little choice but to pay the cyber criminals except for the confidence the Progent team afforded us. That you were able to get our e-mail system and important servers back in less than 1 week was beyond my wildest dreams. Each person I talked with or communicated with at Progent was urgently focused on getting my company operational and was working 24/7 on our behalf."

Progent worked with the customer to rapidly understand and prioritize the most important services that needed to be addressed in order to resume business functions:

  • Active Directory (AD)
  • Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by isolating and cleaning up infected systems. Progent then began the process of restoring Windows Active Directory, the foundation of enterprise environments built upon Microsoft technology. Exchange messaging will not function without AD, and the businessesí financials and MRP system leveraged Microsoft SQL Server, which depends on Windows AD for authentication to the database.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery of key servers. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on staff desktop computers and laptops to recover email messages. A recent offline backup of the customerís accounting/MRP systems made it possible to return these essential services back online. Although a lot of work remained to recover fully from the Ryuk virus, critical systems were restored quickly:


"For the most part, the production line operation showed little impact and we produced all customer sales."

Throughout the next few weeks important milestones in the recovery project were achieved in tight collaboration between Progent consultants and the customer:

  • Self-hosted web sites were returned to operation without losing any data.
  • The MailStore Server exceeding four million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were 100% functional.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the user workstations were operational.

"Much of what went on those first few days is mostly a blur for me, but my team will not forget the urgency each of the team accomplished to help get our business back. Iíve utilized Progent for the past ten years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was a life saver."

Conclusion
A likely business-ending disaster was avoided due to top-tier experts, a wide range of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware penetration described here could have been shut down with up-to-date cyber security systems and security best practices, team training, and well thought out security procedures for information protection and applying software patches, the reality remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for allowing me to get some sleep after we made it past the first week. All of you did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Mission Viejo a variety of remote monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation AI capability to uncover new variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to manage the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies packaged within a single agent managed from a single control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also help your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and allows rapid restoration of critical files, apps and virtual machines that have become unavailable or damaged due to hardware failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can provide world-class support to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your critical data. Read more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide web-based control and world-class protection for your email traffic. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, monitor, enhance and debug their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, locating devices that need critical software patches, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT personnel and your Progent consultant so that all looming issues can be resolved before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can save up to half of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Mission Viejo Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.