Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses poorly prepared for an assault. Multiple generations of crypto-ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for years and still cause harm. Modern strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent unnamed viruses, not only do encryption of online files but also infiltrate many accessible system restores and backups. Data synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, this can make automated restore operations useless and basically knocks the network back to zero.

Recovering applications and data following a ransomware outage becomes a sprint against time as the targeted organization struggles to contain and eradicate the ransomware and to resume business-critical activity. Because ransomware takes time to replicate, attacks are usually launched at night, when penetrations may take longer to detect. This multiplies the difficulty of quickly assembling and organizing a capable response team.

Progent makes available an assortment of services for securing organizations from ransomware events. Among these are team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with AI technology to intelligently identify and suppress new cyber threats. Progent also can provide the services of experienced crypto-ransomware recovery professionals with the talent and commitment to re-deploy a breached network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, sending the ransom in cryptocurrency does not ensure that criminal gangs will provide the needed keys to unencrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be around $13,000. The other path is to setup from scratch the vital components of your IT environment. Without access to complete data backups, this calls for a broad complement of skill sets, professional project management, and the willingness to work 24x7 until the job is complete.

For decades, Progent has provided expert IT services for companies in San Bernardino and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of experience affords Progent the ability to quickly identify necessary systems and consolidate the surviving parts of your network system following a crypto-ransomware attack and configure them into an operational network.

Progent's ransomware team of experts uses best of breed project management applications to orchestrate the complex restoration process. Progent appreciates the importance of working rapidly and in unison with a client's management and IT team members to prioritize tasks and to put the most important services back online as soon as possible.

Customer Case Study: A Successful Ransomware Penetration Response
A business contacted Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by North Korean state sponsored criminal gangs, suspected of adopting algorithms exposed from Americaís NSA organization. Ryuk seeks specific businesses with little tolerance for operational disruption and is one of the most profitable incarnations of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk intrusion had brought down all company operations and manufacturing processes. The majority of the client's data backups had been online at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for the best, but in the end called Progent.


"I cannot tell you enough about the support Progent provided us during the most fearful period of (our) businesses life. We had little choice but to pay the cyber criminals if not for the confidence the Progent group gave us. That you could get our e-mail and critical servers back into operation sooner than five days was amazing. Every single expert I interacted with or messaged at Progent was hell bent on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly determine and prioritize the key elements that needed to be addressed in order to restart business functions:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To start, Progent adhered to AV/Malware Processes event response best practices by halting lateral movement and removing active viruses. Progent then started the steps of rebuilding Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange email will not operate without AD, and the client's accounting and MRP applications utilized Microsoft SQL, which needs Active Directory for authentication to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then helped perform rebuilding and storage recovery on essential applications. All Exchange ties and attributes were usable, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Off-Line Data Files) on various desktop computers and laptops to recover email information. A not too old offline backup of the customerís financials/MRP software made them able to restore these essential services back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, core systems were restored quickly:


"For the most part, the assembly line operation survived unscathed and we did not miss any customer sales."

Throughout the next month key milestones in the recovery project were achieved through tight cooperation between Progent consultants and the client:

  • In-house web applications were restored without losing any information.
  • The MailStore Server containing more than 4 million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were 100% operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the user PCs were operational.

"A lot of what transpired those first few days is nearly entirely a fog for me, but we will not forget the dedication each of your team accomplished to help get our company back. I have trusted Progent for the past ten years, possibly more, and each time Progent has come through and delivered as promised. This event was a life saver."

Conclusion
A potential business disaster was averted through the efforts of top-tier experts, a wide array of technical expertise, and close collaboration. Although in hindsight the ransomware incident described here should have been identified and stopped with advanced cyber security solutions and best practices, user and IT administrator training, and properly executed incident response procedures for backup and applying software patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get rested after we made it past the initial fire. All of you did an impressive effort, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in San Bernardino a variety of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include next-generation AI technology to uncover new strains of crypto-ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the complete threat lifecycle including protection, detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you demonstrate compliance with government and industry information protection standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate action. Progent's consultants can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses an affordable end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight DPS automates and monitors your backup processes and enables rapid recovery of critical files, apps and VMs that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your critical data. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to deliver web-based control and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of inspection for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and debug their networking hardware such as switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your Progent consultant so that any looming problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time wasted looking for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For San Bernardino 24x7 Crypto Remediation Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.