Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyberplague that represents an extinction-level threat for businesses poorly prepared for an assault. Versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict damage. Recent versions of ransomware like Ryuk and Hermes, along with frequent unnamed malware, not only do encryption of on-line information but also infect any accessible system backup. Data replicated to cloud environments can also be encrypted. In a vulnerable data protection solution, it can make any recovery impossible and effectively knocks the datacenter back to square one.

Restoring programs and data after a ransomware attack becomes a race against the clock as the targeted business fights to contain and eradicate the virus and to resume enterprise-critical operations. Since ransomware requires time to spread, assaults are often sprung at night, when penetrations tend to take more time to identify. This compounds the difficulty of promptly mobilizing and orchestrating a qualified response team.

Progent has a range of solutions for securing organizations from ransomware attacks. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence technology to intelligently detect and extinguish zero-day cyber threats. Progent in addition can provide the services of experienced ransomware recovery engineers with the skills and commitment to re-deploy a breached system as urgently as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, paying the ransom in cryptocurrency does not ensure that merciless criminals will respond with the needed keys to unencrypt any of your information. Kaspersky determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the vital elements of your Information Technology environment. Without access to complete data backups, this requires a wide range of IT skills, top notch team management, and the ability to work non-stop until the job is complete.

For twenty years, Progent has made available certified expert IT services for businesses in Pasadena and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise affords Progent the capability to quickly identify necessary systems and integrate the remaining components of your Information Technology environment after a ransomware penetration and configure them into an operational network.

Progent's security team of experts has top notch project management tools to coordinate the complex restoration process. Progent appreciates the urgency of acting swiftly and in unison with a customerís management and IT team members to prioritize tasks and to get essential systems back on line as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Incident Response
A customer contacted Progent after their network was taken over by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state cybercriminals, suspected of using approaches exposed from the U.S. NSA organization. Ryuk targets specific businesses with limited tolerance for operational disruption and is one of the most profitable incarnations of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area with about 500 employees. The Ryuk attack had shut down all company operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately called Progent.


"I canít thank you enough in regards to the support Progent provided us during the most stressful time of (our) businesses existence. We had little choice but to pay the Hackers if it wasnít for the confidence the Progent group gave us. The fact that you could get our e-mail system and important servers back online sooner than 1 week was incredible. Every single staff member I interacted with or messaged at Progent was absolutely committed on getting us working again and was working 24 by 7 on our behalf."

Progent worked with the customer to rapidly assess and prioritize the mission critical elements that needed to be addressed in order to continue company operations:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To start, Progent adhered to ransomware event mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then started the process of rebuilding Microsoft AD, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís financials and MRP applications used Microsoft SQL, which needs Active Directory for security authorization to the database.

Within 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then completed setup and storage recovery of critical applications. All Microsoft Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on various workstations in order to recover email data. A recent off-line backup of the businesses accounting/MRP software made it possible to recover these required applications back on-line. Although major work needed to be completed to recover completely from the Ryuk attack, critical services were recovered quickly:


"For the most part, the manufacturing operation showed little impact and we produced all customer deliverables."

Throughout the following couple of weeks critical milestones in the recovery project were accomplished in tight collaboration between Progent team members and the client:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Server with over 4 million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100% operational.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Most of the desktops and laptops were back into operation.

"A huge amount of what transpired in the initial days is mostly a blur for me, but I will not soon forget the countless hours each and every one of your team accomplished to give us our company back. Iíve trusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A likely company-ending catastrophe was avoided with top-tier experts, a broad array of subject matter expertise, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here could have been stopped with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well designed incident response procedures for information backup and proper patching controls, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's team of professionals has extensive experience in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we got over the most critical parts. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Pasadena a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate modern AI capability to detect zero-day strains of crypto-ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus products. ProSight ASM protects local and cloud-based resources and provides a unified platform to address the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your company's specific needs and that allows you demonstrate compliance with legal and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also assist you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end service for reliable backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables fast restoration of critical data, applications and virtual machines that have become unavailable or damaged due to component failures, software glitches, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local device, or to both. Progent's cloud backup consultants can provide advanced expertise to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to restore your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to provide centralized management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and blocks most unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, optimize and debug their connectivity appliances such as routers and switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating tedious network management processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding devices that need critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Pasadena 24-7 Crypto-Ransomware Repair Services, reach out to Progent at 800-993-9400 or go to Contact Progent.