Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict damage. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional unnamed viruses, not only do encryption of on-line information but also infect any available system backup. Information replicated to cloud environments can also be encrypted. In a vulnerable data protection solution, it can make automatic restore operations hopeless and basically sets the entire system back to zero.

Getting back on-line applications and information following a crypto-ransomware intrusion becomes a race against time as the targeted business struggles to stop the spread and remove the ransomware and to resume enterprise-critical activity. Due to the fact that ransomware needs time to replicate, assaults are often launched at night, when penetrations tend to take longer to notice. This compounds the difficulty of rapidly assembling and coordinating a knowledgeable mitigation team.

Progent makes available a variety of support services for securing organizations from crypto-ransomware penetrations. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security gateways with artificial intelligence capabilities to rapidly discover and extinguish day-zero cyber threats. Progent also provides the services of experienced ransomware recovery consultants with the skills and perseverance to re-deploy a breached system as quickly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the keys to decrypt all your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the essential parts of your IT environment. Absent the availability of full information backups, this requires a wide range of skill sets, well-coordinated team management, and the capability to work non-stop until the task is complete.

For two decades, Progent has made available professional IT services for companies in San Bernardino and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience gives Progent the skills to quickly determine necessary systems and consolidate the remaining pieces of your network environment following a ransomware penetration and configure them into a functioning network.

Progent's security team deploys state-of-the-art project management tools to orchestrate the complicated restoration process. Progent knows the urgency of acting rapidly and in concert with a customerís management and IT team members to prioritize tasks and to put essential services back online as fast as humanly possible.

Case Study: A Successful Ransomware Intrusion Response
A client escalated to Progent after their company was crashed by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state hackers, possibly using technology exposed from the United States NSA organization. Ryuk goes after specific organizations with little room for disruption and is one of the most lucrative versions of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago and has about 500 staff members. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been online at the time of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end brought in Progent.


"I cannot thank you enough about the help Progent gave us during the most critical time of (our) businesses life. We had little choice but to pay the criminal gangs if it wasnít for the confidence the Progent group gave us. That you could get our messaging and production applications back online in less than seven days was amazing. Each staff member I worked with or e-mailed at Progent was hell bent on getting us working again and was working breakneck pace on our behalf."

Progent worked together with the client to rapidly get our arms around and assign priority to the most important elements that needed to be addressed to make it possible to restart business operations:

  • Active Directory
  • Electronic Mail
  • Financials/MRP
To start, Progent followed Anti-virus penetration response industry best practices by stopping the spread and clearing up compromised systems. Progent then started the task of restoring Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the businessesí financials and MRP applications leveraged Microsoft SQL Server, which needs Active Directory services for authentication to the data.

In less than two days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then helped perform setup and hard drive recovery of essential servers. All Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Off-Line Folder Files) on user PCs in order to recover email information. A recent off-line backup of the client's financials/ERP systems made them able to return these required programs back available to users. Although a large amount of work was left to recover totally from the Ryuk virus, essential systems were restored quickly:


"For the most part, the production operation was never shut down and we made all customer shipments."

Throughout the following month important milestones in the recovery process were achieved in close cooperation between Progent consultants and the client:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were completely recovered.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the desktops and laptops were being used by staff.

"A lot of what transpired in the initial days is mostly a blur for me, but our team will not soon forget the commitment each of your team put in to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A likely business extinction disaster was avoided by results-oriented professionals, a broad array of IT skills, and close teamwork. Although in hindsight the ransomware attack described here would have been identified and stopped with current security technology solutions and security best practices, user education, and well thought out security procedures for information backup and applying software patches, the fact remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we made it through the initial fire. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in San Bernardino a variety of online monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services incorporate modern machine learning capability to detect zero-day strains of ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to manage the complete threat progression including protection, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that helps you demonstrate compliance with government and industry information security regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also help your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of critical data, apps and VMs that have become lost or corrupted as a result of component breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's BDR consultants can provide world-class support to configure ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your critical data. Find out more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver centralized management and world-class protection for your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, track, enhance and debug their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating complex management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that require critical software patches, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT staff and your Progent consultant so that all looming issues can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and managing your network documentation, you can eliminate as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For 24/7/365 San Bernardino Ransomware Recovery Consulting, contact Progent at 800-993-9400 or go to Contact Progent.