Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that represents an extinction-level danger for businesses poorly prepared for an attack. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict damage. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more unnamed viruses, not only do encryption of on-line files but also infect many available system protection mechanisms. Files synchronized to the cloud can also be ransomed. In a vulnerable data protection solution, this can render automatic restoration useless and basically sets the entire system back to square one.

Recovering applications and information following a crypto-ransomware outage becomes a sprint against time as the victim struggles to stop the spread and remove the ransomware and to resume enterprise-critical activity. Since ransomware requires time to move laterally, attacks are frequently launched at night, when successful penetrations are likely to take more time to detect. This compounds the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent offers a range of help services for protecting enterprises from ransomware events. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security solutions with AI capabilities from SentinelOne to identify and quarantine day-zero cyber attacks rapidly. Progent in addition provides the assistance of expert crypto-ransomware recovery professionals with the track record and perseverance to rebuild a breached environment as rapidly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the needed keys to decipher all your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the vital parts of your Information Technology environment. Without access to complete system backups, this requires a broad complement of IT skills, top notch team management, and the ability to work continuously until the task is finished.

For decades, Progent has made available expert IT services for companies in San Diego UCSD and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise affords Progent the capability to quickly determine necessary systems and consolidate the remaining parts of your network system after a ransomware penetration and assemble them into a functioning network.

Progent's security group has powerful project management systems to orchestrate the sophisticated recovery process. Progent understands the importance of acting swiftly and in unison with a customer�s management and Information Technology staff to prioritize tasks and to get key applications back online as fast as humanly possible.

Customer Story: A Successful Ransomware Incident Restoration
A client sought out Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, suspected of adopting strategies exposed from America�s NSA organization. Ryuk seeks specific companies with limited room for disruption and is among the most profitable instances of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 workers. The Ryuk intrusion had disabled all company operations and manufacturing capabilities. Most of the client's backups had been online at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and hoping for the best, but ultimately utilized Progent.


"I cannot speak enough in regards to the care Progent gave us throughout the most critical time of (our) company�s existence. We most likely would have paid the cyber criminals except for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and production servers back on-line in less than a week was something I thought impossible. Each expert I worked with or e-mailed at Progent was amazingly focused on getting our system up and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to quickly identify and prioritize the essential elements that needed to be restored to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then began the process of recovering Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Exchange email will not operate without AD, and the customer�s financials and MRP software used SQL Server, which needs Active Directory services for security authorization to the data.

In less than two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then initiated setup and hard drive recovery on critical applications. All Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers in order to recover email data. A not too old offline backup of the client's financials/ERP systems made it possible to restore these vital applications back online for users. Although significant work remained to recover completely from the Ryuk attack, essential systems were restored quickly:


"For the most part, the manufacturing operation was never shut down and we made all customer shipments."

During the next few weeks critical milestones in the recovery process were made in tight collaboration between Progent engineers and the customer:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user workstations were fully operational.

"A lot of what was accomplished those first few days is nearly entirely a haze for me, but my team will not forget the urgency each and every one of your team accomplished to give us our business back. I have been working with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was a life saver."

Conclusion
A likely business extinction disaster was dodged by hard-working experts, a wide array of knowledge, and close collaboration. Although in retrospect the ransomware penetration detailed here would have been prevented with advanced cyber security systems and recognized best practices, user and IT administrator training, and appropriate security procedures for information protection and proper patching controls, the reality is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for letting me get some sleep after we made it through the initial fire. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in San Diego UCSD a portfolio of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence technology to uncover new strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to manage the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services deliver economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup technology companies to produce ProSight Data Protection Services, a portfolio of management offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup processes and allow non-disruptive backup and fast recovery of important files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware failures, natural disasters, fire, malware like ransomware, human error, ill-intentioned insiders, or software glitches. Managed services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver centralized control and comprehensive protection for your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, track, optimize and debug their networking hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration information of almost all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating appliances that need important updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT management staff and your Progent consultant so any potential problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can save up to half of time wasted looking for critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based analysis technology to defend endpoints and servers and VMs against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Support Desk Managed Services
    Progent's Support Center managed services permit your information technology team to outsource Call Center services to Progent or divide responsibilities for Service Desk support transparently between your internal support team and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless supplement to your internal support organization. End user interaction with the Help Desk, provision of technical assistance, issue escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the support database are cohesive whether incidents are resolved by your corporate network support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of any size a versatile and affordable solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your IT team to focus on more strategic initiatives and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you log into a secured online account and enter your password you are asked to confirm who you are via a device that only you possess and that is accessed using a different network channel. A broad selection of out-of-band devices can be used for this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. To learn more about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.
For 24-7 San Diego UCSD Ransomware Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.