Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that represents an extinction-level threat for organizations unprepared for an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to inflict damage. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more as yet unnamed malware, not only do encryption of online data but also infiltrate all accessible system protection. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can render any recovery hopeless and effectively sets the datacenter back to square one.

Getting back online programs and information after a ransomware intrusion becomes a sprint against time as the targeted organization tries its best to stop the spread and remove the virus and to restore enterprise-critical operations. Due to the fact that ransomware needs time to spread, penetrations are frequently sprung during weekends and nights, when successful penetrations are likely to take longer to identify. This multiplies the difficulty of quickly assembling and orchestrating a capable response team.

Progent has a range of solutions for protecting businesses from ransomware attacks. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security solutions with machine learning technology from SentinelOne to detect and quarantine new threats rapidly. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the talent and perseverance to restore a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, paying the ransom demands in cryptocurrency does not ensure that cyber criminals will return the keys to unencrypt any or all of your data. Kaspersky determined that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the vital components of your Information Technology environment. Without the availability of essential information backups, this requires a broad range of IT skills, top notch project management, and the capability to work continuously until the task is over.

For two decades, Progent has made available professional Information Technology services for companies in San Diego UCSD and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise gives Progent the ability to rapidly identify necessary systems and organize the surviving pieces of your computer network system after a crypto-ransomware penetration and assemble them into an operational system.

Progent's ransomware team of experts uses state-of-the-art project management tools to coordinate the complicated restoration process. Progent appreciates the urgency of working rapidly and in concert with a customer's management and IT staff to prioritize tasks and to get key systems back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A small business escalated to Progent after their company was brought down by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored hackers, suspected of using techniques leaked from America's National Security Agency. Ryuk targets specific organizations with little tolerance for disruption and is among the most lucrative versions of crypto-ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with about 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's backups had been online at the beginning of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200,000) and praying for good luck, but in the end made the decision to use Progent.


"I can't tell you enough about the expertise Progent gave us during the most stressful time of (our) company's life. We may have had to pay the criminal gangs if not for the confidence the Progent team provided us. That you could get our e-mail system and critical servers back faster than a week was something I thought impossible. Each staff member I spoke to or communicated with at Progent was amazingly focused on getting us operational and was working non-stop to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the mission critical areas that had to be recovered in order to resume company functions:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To start, Progent adhered to ransomware incident mitigation best practices by halting lateral movement and performing virus removal steps. Progent then initiated the task of recovering Microsoft Active Directory, the core of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without AD, and the client's financials and MRP system leveraged SQL Server, which depends on Active Directory for access to the databases.

In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then charged ahead with setup and storage recovery of the most important systems. All Exchange ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Data Files) on team workstations and laptops in order to recover email information. A not too old offline backup of the client's financials/MRP systems made them able to return these vital applications back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, core services were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer shipments."

During the next month critical milestones in the recovery process were made in tight cooperation between Progent consultants and the client:

  • Internal web sites were restored without losing any data.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoicing/AP/AR/Inventory functions were 100 percent recovered.
  • A new Palo Alto 850 firewall was brought online.
  • 90% of the user desktops and notebooks were operational.

"Much of what happened in the initial days is nearly entirely a fog for me, but our team will not forget the countless hours each of you accomplished to give us our company back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has come through and delivered. This situation was a life saver."

Conclusion
A probable business catastrophe was dodged through the efforts of hard-working experts, a wide array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware attack described here could have been identified and stopped with advanced cyber security technology solutions and NIST Cybersecurity Framework best practices, staff training, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has substantial experience in crypto-ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for making it so I could get some sleep after we got over the initial fire. Everyone did an impressive job, and if anyone that helped is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in San Diego UCSD a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate modern AI technology to uncover new strains of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to automate the entire threat lifecycle including blocking, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also assist your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and enable transparent backup and rapid recovery of important files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and blocks most threats from reaching your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, optimize and debug their connectivity hardware like switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that need critical software patches, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so all looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can eliminate up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior machine learning tools to defend endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. Progent ASM services safeguard local and cloud resources and provides a single platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Support Desk services permit your IT team to outsource Support Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support team and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Shared Service Desk offers a smooth extension of your corporate IT support staff. Client access to the Service Desk, delivery of technical assistance, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether issues are taken care of by your in-house support organization, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. Besides maximizing the security and reliability of your IT network, Progent's software/firmware update management services allow your IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you log into a protected application and give your password you are requested to confirm who you are on a device that only you possess and that is accessed using a separate network channel. A broad range of out-of-band devices can be used for this second form of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can register multiple validation devices. To learn more about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time and in-depth reporting tools created to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For San Diego UCSD 24/7/365 Crypto-Ransomware Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.