Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an attack. Multiple generations of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with more unnamed newcomers, not only encrypt online critical data but also infiltrate all available system backup. Files synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can render automated restoration useless and effectively knocks the datacenter back to zero.

Recovering services and information following a ransomware attack becomes a sprint against time as the victim tries its best to contain the damage and cleanup the ransomware and to resume business-critical operations. Since ransomware takes time to replicate, assaults are usually sprung during nights and weekends, when penetrations typically take longer to recognize. This compounds the difficulty of promptly marshalling and orchestrating a capable response team.

Progent provides a variety of support services for securing enterprises from crypto-ransomware events. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security solutions with AI technology to intelligently identify and suppress zero-day cyber attacks. Progent also provides the assistance of expert ransomware recovery engineers with the skills and perseverance to restore a compromised network as urgently as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the keys to decipher all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the mission-critical components of your IT environment. Absent access to complete system backups, this calls for a broad complement of skill sets, well-coordinated team management, and the willingness to work non-stop until the task is done.

For two decades, Progent has made available certified expert Information Technology services for businesses in San Diego UCSD and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience affords Progent the ability to efficiently determine critical systems and re-organize the remaining pieces of your IT system following a ransomware attack and rebuild them into an operational network.

Progent's security team utilizes best of breed project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of acting rapidly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put critical systems back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Restoration
A client sought out Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been launched by North Korean state criminal gangs, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk targets specific organizations with limited tolerance for operational disruption and is one of the most profitable instances of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago with around 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's data protection had been online at the start of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately called Progent.


"I cannot thank you enough about the care Progent gave us throughout the most fearful period of (our) businesses survival. We most likely would have paid the hackers behind this attack if not for the confidence the Progent group afforded us. That you were able to get our messaging and essential servers back on-line quicker than a week was amazing. Each person I got help from or messaged at Progent was urgently focused on getting us operational and was working non-stop on our behalf."

Progent worked together with the customer to rapidly get our arms around and prioritize the essential systems that had to be recovered in order to restart company operations:

  • Active Directory
  • Email
  • MRP System
To start, Progent adhered to AV/Malware Processes event response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the task of bringing back online Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Exchange messaging will not function without Windows AD, and the businessesí MRP system utilized Microsoft SQL, which needs Active Directory for security authorization to the information.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then initiated rebuilding and hard drive recovery on key applications. All Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Offline Data Files) on staff desktop computers in order to recover email messages. A not too old off-line backup of the customerís manufacturing software made it possible to recover these essential programs back online for users. Although a lot of work remained to recover totally from the Ryuk attack, the most important services were restored quickly:


"For the most part, the production manufacturing operation was never shut down and we made all customer orders."

Over the following few weeks critical milestones in the recovery process were achieved in tight collaboration between Progent team members and the client:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Server containing more than 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory Control functions were completely functional.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the desktop computers were being used by staff.

"A huge amount of what transpired during the initial response is mostly a blur for me, but I will not forget the urgency all of your team accomplished to help get our business back. I have utilized Progent for the past ten years, possibly more, and each time I needed help Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business extinction disaster was averted due to results-oriented experts, a wide spectrum of IT skills, and tight teamwork. Although in hindsight the ransomware virus attack detailed here should have been identified and stopped with modern cyber security solutions and recognized best practices, user education, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get some sleep after we got past the first week. All of you did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in San Diego UCSD a range of remote monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence technology to uncover new variants of ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete threat progression including blocking, detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup technology providers to create ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup processes and allow transparent backup and rapid restoration of vital files, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by hardware failures, natural calamities, fire, malware such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide web-based control and world-class security for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, reconfigure and troubleshoot their networking hardware like switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming management activities, WAN Watch can cut hours off common tasks such as network mapping, reconfiguring your network, finding devices that need important software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT staff and your Progent engineering consultant so all looming problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24-Hour San Diego UCSD Crypto-Ransomware Repair Experts, contact Progent at 800-462-8800 or go to Contact Progent.