Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that represents an existential danger for businesses unprepared for an assault. Different iterations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to inflict damage. Newer versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, as well as more as yet unnamed viruses, not only encrypt online information but also infect most accessible system protection. Data synched to the cloud can also be corrupted. In a poorly designed data protection solution, it can make any restore operations useless and basically sets the entire system back to square one.

Restoring programs and information after a crypto-ransomware intrusion becomes a sprint against time as the targeted business struggles to stop the spread and remove the ransomware and to restore business-critical operations. Since ransomware needs time to replicate, assaults are usually sprung on weekends, when successful attacks in many cases take longer to recognize. This compounds the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent offers a variety of solutions for protecting businesses from ransomware events. These include staff education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with AI capabilities to rapidly discover and suppress zero-day cyber attacks. Progent in addition offers the services of veteran ransomware recovery engineers with the skills and commitment to re-deploy a breached system as urgently as possible.

Progent's Ransomware Restoration Help
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the codes to unencrypt any or all of your files. Kaspersky determined that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the critical parts of your IT environment. Absent the availability of full system backups, this calls for a wide range of skills, professional project management, and the capability to work non-stop until the task is over.

For two decades, Progent has offered certified expert IT services for companies in San Diego UCSD and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of experience provides Progent the capability to rapidly understand critical systems and integrate the remaining components of your network environment following a ransomware penetration and assemble them into a functioning network.

Progent's ransomware team utilizes top notch project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of working rapidly and in concert with a client's management and Information Technology resources to prioritize tasks and to put essential services back on-line as soon as possible.

Client Case Study: A Successful Ransomware Intrusion Response
A small business engaged Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored hackers, possibly using algorithms leaked from the United States National Security Agency. Ryuk attacks specific businesses with little or no room for disruption and is among the most lucrative examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has about 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200,000) and praying for good luck, but in the end reached out to Progent.


"I canít thank you enough in regards to the care Progent provided us during the most stressful time of (our) companyís existence. We may have had to pay the hackers behind this attack except for the confidence the Progent team provided us. The fact that you could get our e-mail system and important applications back into operation quicker than seven days was amazing. Each expert I worked with or communicated with at Progent was absolutely committed on getting us restored and was working at all hours on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the most important services that had to be restored in order to resume departmental operations:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent followed AV/Malware Processes incident response best practices by halting the spread and clearing up compromised systems. Progent then initiated the task of restoring Active Directory, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the client's MRP software used SQL Server, which requires Active Directory for authentication to the databases.

Within two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of key applications. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Off-Line Data Files) on staff desktop computers to recover mail information. A recent off-line backup of the businesses manufacturing software made them able to return these required applications back online. Although major work still had to be done to recover totally from the Ryuk damage, core systems were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer orders."

Throughout the next couple of weeks key milestones in the restoration process were achieved through close cooperation between Progent consultants and the customer:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over four million archived messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100 percent recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • Most of the user workstations were being used by staff.

"Much of what was accomplished that first week is mostly a blur for me, but our team will not forget the commitment all of your team put in to help get our business back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business-killing disaster was averted by top-tier professionals, a broad spectrum of knowledge, and close collaboration. Although in hindsight the crypto-ransomware virus incident described here should have been prevented with advanced security technology and security best practices, user education, and properly executed security procedures for information protection and proper patching controls, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we got over the first week. Everyone did an amazing job, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in San Diego UCSD a range of remote monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services include modern AI technology to uncover zero-day strains of crypto-ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily evade legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and enables fast recovery of vital files, applications and VMs that have become lost or corrupted due to hardware failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to configure ProSight DPS to be compliant with regulatory requirements like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to provide centralized control and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their networking hardware such as routers, firewalls, and access points as well as servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept current, captures and manages the configuration of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating tedious network management processes, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that require important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so that any potential problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save up to 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For San Diego UCSD 24/7/365 Ransomware Repair Consulting, call Progent at 800-462-8800 or go to Contact Progent.