Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that represents an enterprise-level danger for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict damage. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus frequent unnamed malware, not only encrypt online critical data but also infiltrate many accessible system protection. Files synchronized to cloud environments can also be corrupted. In a vulnerable environment, this can make automatic restore operations hopeless and effectively sets the network back to square one.

Restoring programs and information after a ransomware attack becomes a race against time as the targeted business struggles to stop lateral movement and eradicate the crypto-ransomware and to restore business-critical activity. Because crypto-ransomware takes time to replicate, attacks are frequently sprung during nights and weekends, when successful attacks may take longer to recognize. This compounds the difficulty of promptly assembling and orchestrating a qualified response team.

Progent makes available a range of support services for securing organizations from ransomware attacks. Among these are user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with machine learning technology to automatically detect and extinguish new cyber attacks. Progent in addition can provide the assistance of expert crypto-ransomware recovery engineers with the skills and commitment to re-deploy a compromised network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Following a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to unencrypt any or all of your information. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the critical parts of your IT environment. Without the availability of essential data backups, this calls for a wide range of IT skills, professional team management, and the capability to work continuously until the recovery project is completed.

For two decades, Progent has provided expert Information Technology services for companies in San Bernardino and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of experience gives Progent the ability to rapidly determine important systems and integrate the surviving components of your computer network environment following a ransomware attack and configure them into a functioning system.

Progent's recovery team utilizes state-of-the-art project management applications to coordinate the complicated recovery process. Progent knows the urgency of acting quickly and in concert with a client's management and IT staff to assign priority to tasks and to get the most important services back online as soon as possible.

Business Case Study: A Successful Ransomware Virus Restoration
A customer sought out Progent after their network was crashed by the Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored hackers, suspected of using techniques exposed from Americaís NSA organization. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is one of the most lucrative versions of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has about 500 employees. The Ryuk intrusion had frozen all business operations and manufacturing processes. Most of the client's system backups had been on-line at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot speak enough about the expertise Progent provided us throughout the most critical time of (our) companyís survival. We had little choice but to pay the criminal gangs if not for the confidence the Progent team gave us. That you could get our e-mail system and essential servers back faster than one week was something I thought impossible. Each expert I worked with or messaged at Progent was hell bent on getting my company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the critical applications that had to be recovered in order to continue departmental operations:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes event mitigation best practices by halting lateral movement and removing active viruses. Progent then started the task of restoring Windows Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not work without AD, and the client's accounting and MRP system utilized Microsoft SQL, which depends on Windows AD for access to the data.

Within 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then completed reinstallations and storage recovery of the most important systems. All Microsoft Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Offline Folder Files) on user desktop computers and laptops to recover email messages. A recent offline backup of the customerís manufacturing software made it possible to return these essential programs back online. Although a lot of work remained to recover completely from the Ryuk virus, the most important systems were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer sales."

Over the next couple of weeks key milestones in the recovery process were completed through tight collaboration between Progent consultants and the client:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Server exceeding 4 million historical emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory functions were fully restored.
  • A new Palo Alto 850 firewall was installed.
  • Nearly all of the desktops and laptops were being used by staff.

"So much of what went on that first week is nearly entirely a haze for me, but my team will not soon forget the countless hours all of your team put in to help get our company back. I have entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A potential business disaster was averted with top-tier professionals, a broad spectrum of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus incident described here could have been identified and disabled with modern security systems and NIST Cybersecurity Framework best practices, user education, and well thought out security procedures for data protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we made it past the initial fire. All of you did an incredible effort, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in San Bernardino a range of online monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services incorporate modern AI technology to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to address the complete threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and allows rapid restoration of vital data, applications and VMs that have become unavailable or corrupted as a result of component failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can provide world-class expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your critical data. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver web-based management and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper layer of analysis for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, track, enhance and troubleshoot their networking appliances like switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating devices that need important software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating at peak levels by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT staff and your Progent consultant so that any looming issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate up to half of time thrown away searching for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For San Bernardino 24x7x365 Ransomware Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.