Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that represents an existential threat for businesses of all sizes vulnerable to an assault. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and continue to cause havoc. Recent versions of crypto-ransomware like Ryuk and Hermes, along with additional unnamed newcomers, not only do encryption of on-line files but also infect any configured system protection mechanisms. Files synched to cloud environments can also be rendered useless. In a poorly architected system, this can make automatic restoration hopeless and effectively knocks the entire system back to zero.

Getting back on-line applications and information after a ransomware attack becomes a sprint against time as the targeted organization tries its best to contain the damage and eradicate the crypto-ransomware and to restore business-critical activity. Because ransomware takes time to spread, assaults are often sprung during nights and weekends, when successful attacks in many cases take more time to uncover. This multiplies the difficulty of quickly assembling and coordinating a qualified response team.

Progent has a variety of solutions for protecting enterprises from ransomware penetrations. Among these are team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security gateways with machine learning capabilities to quickly discover and quarantine day-zero threats. Progent also can provide the assistance of experienced crypto-ransomware recovery engineers with the skills and perseverance to re-deploy a breached environment as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to decrypt all your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the vital components of your Information Technology environment. Absent the availability of essential data backups, this requires a broad range of skill sets, top notch team management, and the willingness to work 24x7 until the recovery project is finished.

For two decades, Progent has offered expert IT services for businesses in San Diego UCSD and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the skills to efficiently determine necessary systems and consolidate the remaining components of your network environment after a ransomware event and configure them into an operational system.

Progent's security group utilizes powerful project management systems to coordinate the sophisticated restoration process. Progent appreciates the urgency of working rapidly and in unison with a customerís management and IT team members to prioritize tasks and to get key applications back on-line as fast as possible.

Case Study: A Successful Crypto-Ransomware Attack Recovery
A small business engaged Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state cybercriminals, suspected of adopting algorithms leaked from Americaís NSA organization. Ryuk targets specific businesses with little tolerance for disruption and is one of the most lucrative instances of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has around 500 workers. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than $200,000) and hoping for good luck, but ultimately made the decision to use Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most stressful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts gave us. That you could get our e-mail and key applications back into operation in less than five days was something I thought impossible. Each consultant I worked with or communicated with at Progent was absolutely committed on getting us operational and was working 24/7 to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the essential elements that needed to be addressed in order to resume departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by stopping the spread and clearing infected systems. Progent then began the task of recovering Active Directory, the heart of enterprise systems built on Microsoft technology. Exchange messaging will not work without Windows AD, and the businessesí MRP applications utilized Microsoft SQL, which needs Active Directory for access to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then initiated rebuilding and storage recovery of critical servers. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to find local OST files (Outlook Email Off-Line Data Files) on various desktop computers in order to recover mail messages. A not too old offline backup of the client's accounting software made it possible to recover these essential programs back online for users. Although a large amount of work remained to recover totally from the Ryuk event, critical services were restored quickly:


"For the most part, the production operation never missed a beat and we made all customer sales."

Throughout the following month important milestones in the recovery process were made through tight cooperation between Progent consultants and the customer:

  • Internal web applications were restored with no loss of data.
  • The MailStore Exchange Server exceeding four million historical messages was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the user PCs were being used by staff.

"So much of what went on that first week is nearly entirely a haze for me, but my management will not soon forget the commitment all of the team accomplished to help get our company back. Iíve trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A potential business-ending disaster was averted through the efforts of hard-working experts, a broad spectrum of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident described here should have been stopped with advanced cyber security technology and security best practices, team training, and properly executed security procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get some sleep after we got past the initial push. Everyone did an impressive job, and if any of your team is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in San Diego UCSD a portfolio of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize modern AI capability to uncover zero-day variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital data, apps and virtual machines that have become lost or corrupted due to hardware breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to a local device, or to both. Progent's BDR specialists can deliver advanced support to configure ProSight DPS to be compliant with regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to recover your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to provide centralized management and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of inspection for incoming email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, track, optimize and debug their networking hardware like routers and switches, firewalls, and access points as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding appliances that need critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network running at peak levels by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT personnel and your assigned Progent consultant so all potential issues can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about ProSight IT Asset Management service.
For 24-Hour San Diego UCSD Crypto Recovery Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.