Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses poorly prepared for an assault. Different versions of crypto-ransomware such as Dharma, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still inflict damage. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with more as yet unnamed malware, not only encrypt online data but also infect all configured system protection mechanisms. Data synchronized to the cloud can also be corrupted. In a poorly architected environment, this can render any restore operations impossible and basically knocks the entire system back to square one.

Getting back programs and information following a ransomware event becomes a sprint against time as the targeted organization struggles to contain and clear the virus and to restore mission-critical operations. Since ransomware takes time to replicate, assaults are often sprung during weekends and nights, when successful attacks are likely to take longer to detect. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.

Progent makes available a variety of services for securing businesses from crypto-ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with machine learning technology to intelligently detect and suppress zero-day cyber attacks. Progent in addition offers the assistance of experienced crypto-ransomware recovery engineers with the talent and commitment to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware event, paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the codes to decipher all your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the essential elements of your IT environment. Absent access to complete information backups, this calls for a broad range of skill sets, top notch project management, and the capability to work 24x7 until the recovery project is done.

For two decades, Progent has provided certified expert IT services for companies in Chatsworth and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise affords Progent the skills to knowledgably determine necessary systems and re-organize the surviving components of your Information Technology environment after a crypto-ransomware attack and rebuild them into an operational network.

Progent's ransomware team deploys powerful project management tools to orchestrate the sophisticated recovery process. Progent knows the urgency of working rapidly and in unison with a customerís management and IT team members to prioritize tasks and to put essential applications back online as fast as humanly possible.

Customer Story: A Successful Ransomware Virus Response
A client hired Progent after their network was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state criminal gangs, suspected of adopting algorithms exposed from Americaís National Security Agency. Ryuk attacks specific organizations with little or no ability to sustain disruption and is one of the most profitable versions of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago with about 500 employees. The Ryuk event had disabled all essential operations and manufacturing processes. Most of the client's system backups had been online at the time of the attack and were encrypted. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end engaged Progent.


"I cannot thank you enough about the support Progent provided us throughout the most stressful time of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and key servers back online quicker than five days was beyond my wildest dreams. Every single expert I got help from or e-mailed at Progent was hell bent on getting us working again and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly identify and assign priority to the critical elements that had to be restored to make it possible to continue business functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event response industry best practices by stopping lateral movement and clearing infected systems. Progent then began the work of restoring Microsoft AD, the heart of enterprise networks built on Microsoft technology. Exchange messaging will not operate without Windows AD, and the customerís accounting and MRP software utilized Microsoft SQL Server, which depends on Windows AD for authentication to the information.

Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then completed reinstallations and hard drive recovery on key servers. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Email Off-Line Data Files) on user desktop computers to recover mail messages. A not too old offline backup of the businesses accounting systems made them able to restore these essential programs back servicing users. Although major work needed to be completed to recover fully from the Ryuk virus, essential systems were recovered quickly:


"For the most part, the production operation survived unscathed and we delivered all customer orders."

Over the following few weeks key milestones in the recovery process were accomplished in close cooperation between Progent consultants and the client:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Nearly all of the user PCs were fully operational.

"So much of what transpired during the initial response is nearly entirely a haze for me, but I will not soon forget the countless hours each of you accomplished to give us our company back. Iíve utilized Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This situation was a stunning achievement."

Conclusion
A likely enterprise-killing catastrophe was avoided due to results-oriented experts, a broad array of IT skills, and close collaboration. Although upon completion of forensics the ransomware virus penetration detailed here would have been identified and blocked with up-to-date security systems and best practices, user education, and appropriate incident response procedures for data protection and proper patching controls, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for allowing me to get some sleep after we made it through the initial fire. All of you did an incredible effort, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Chatsworth a variety of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services include next-generation AI technology to uncover new strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device control, and web filtering via leading-edge tools incorporated within one agent accessible from a unified control. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed service for secure backup/disaster recovery (BDR). For a fixed monthly cost, ProSight DPS automates your backup activities and enables fast restoration of critical data, applications and virtual machines that have become unavailable or damaged due to component failures, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FIRPA, and PCI and, whenever needed, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to provide web-based control and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of analysis for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, reconfigure and troubleshoot their networking hardware such as switches, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating appliances that need critical updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system running at peak levels by checking the health of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management personnel and your Progent engineering consultant so that all potential issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7x365 Chatsworth Crypto-Ransomware Cleanup Services, contact Progent at 800-993-9400 or go to Contact Progent.