Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that presents an existential danger for organizations poorly prepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for years and still cause destruction. Recent strains of ransomware like Ryuk and Hermes, as well as frequent unnamed newcomers, not only encrypt online critical data but also infect any configured system protection mechanisms. Data synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, this can make automatic restore operations impossible and effectively knocks the entire system back to square one.

Getting back on-line programs and information following a ransomware intrusion becomes a race against time as the targeted organization tries its best to stop lateral movement and eradicate the virus and to restore mission-critical activity. Due to the fact that ransomware needs time to replicate, penetrations are frequently launched on weekends, when penetrations in many cases take more time to notice. This compounds the difficulty of promptly marshalling and organizing a knowledgeable mitigation team.

Progent makes available a variety of services for protecting organizations from crypto-ransomware penetrations. Among these are team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with machine learning capabilities to rapidly identify and disable day-zero cyber attacks. Progent also can provide the services of expert crypto-ransomware recovery professionals with the track record and perseverance to reconstruct a breached environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decipher any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the critical parts of your IT environment. Without the availability of complete system backups, this calls for a broad range of IT skills, top notch team management, and the willingness to work non-stop until the job is finished.

For twenty years, Progent has offered professional IT services for companies in San Diego UCSD and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of expertise affords Progent the ability to rapidly determine important systems and re-organize the remaining pieces of your network system following a ransomware event and assemble them into an operational network.

Progent's security team uses best of breed project management systems to orchestrate the complicated recovery process. Progent knows the urgency of acting rapidly and together with a customerís management and IT staff to assign priority to tasks and to put the most important services back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Response
A small business hired Progent after their network was crashed by Ryuk ransomware. Ryuk is thought to have been created by North Korean state criminal gangs, suspected of using approaches leaked from Americaís National Security Agency. Ryuk attacks specific companies with limited ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area with around 500 workers. The Ryuk event had paralyzed all essential operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and hoping for good luck, but in the end made the decision to use Progent.


"I canít speak enough in regards to the support Progent gave us during the most critical time of (our) businesses survival. We most likely would have paid the cybercriminals except for the confidence the Progent experts afforded us. That you were able to get our e-mail and key applications back online in less than five days was earth shattering. Every single person I spoke to or e-mailed at Progent was laser focused on getting us restored and was working day and night to bail us out."

Progent worked hand in hand the client to quickly determine and assign priority to the key areas that needed to be restored to make it possible to continue business functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent followed Anti-virus penetration response best practices by stopping the spread and cleaning up infected systems. Progent then started the process of bringing back online Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange messaging will not work without AD, and the businessesí MRP software utilized Microsoft SQL, which depends on Active Directory for authentication to the database.

In less than two days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and storage recovery on the most important servers. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Offline Folder Files) on team workstations and laptops to recover mail messages. A not too old offline backup of the businesses accounting/MRP systems made them able to restore these vital programs back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk event, the most important systems were restored quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer shipments."

Throughout the next few weeks critical milestones in the restoration project were accomplished through tight cooperation between Progent team members and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Server with over 4 million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were fully operational.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the desktops and laptops were functioning as before the incident.

"So much of what transpired that first week is nearly entirely a fog for me, but our team will not soon forget the countless hours all of your team put in to give us our business back. Iíve been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A potential business-killing disaster was avoided with results-oriented experts, a wide range of IT skills, and close collaboration. Although upon completion of forensics the ransomware virus attack detailed here should have been identified and stopped with modern security solutions and NIST Cybersecurity Framework best practices, team training, and appropriate security procedures for information protection and applying software patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get rested after we got past the most critical parts. All of you did an fabulous effort, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in San Diego UCSD a range of remote monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence technology to uncover zero-day strains of ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a unified platform to manage the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that addresses your company's unique requirements and that helps you prove compliance with legal and industry data protection standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized businesses a low cost and fully managed service for reliable backup/disaster recovery. For a low monthly price, ProSight DPS automates and monitors your backup processes and enables fast restoration of vital files, apps and VMs that have become lost or corrupted as a result of component failures, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical data. Read more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security vendors to provide web-based control and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of inspection for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding appliances that need critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that any looming problems can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For San Diego UCSD 24/7 Crypto-Ransomware Cleanup Help, call Progent at 800-993-9400 or go to Contact Progent.