Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that presents an existential danger for organizations poorly prepared for an attack. Different iterations of ransomware such as CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and still inflict destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as more unnamed newcomers, not only do encryption of online information but also infect most configured system protection mechanisms. Files synchronized to the cloud can also be ransomed. In a poorly designed environment, this can make automatic recovery impossible and basically knocks the entire system back to square one.

Retrieving applications and information after a ransomware event becomes a race against the clock as the victim fights to stop lateral movement and cleanup the virus and to resume mission-critical operations. Since ransomware takes time to spread, penetrations are usually launched on weekends, when penetrations typically take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable response team.

Progent provides an assortment of solutions for protecting businesses from ransomware events. These include staff education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with machine learning capabilities to quickly discover and disable new threats. Progent in addition can provide the assistance of seasoned ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as soon as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the keys to decipher all your information. Kaspersky ascertained that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the mission-critical components of your Information Technology environment. Without the availability of essential system backups, this calls for a wide complement of skills, top notch project management, and the willingness to work 24x7 until the recovery project is over.

For decades, Progent has made available professional Information Technology services for businesses in Pasadena and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience gives Progent the capability to knowledgably identify important systems and integrate the surviving parts of your Information Technology environment following a ransomware event and rebuild them into a functioning network.

Progent's security team has top notch project management applications to coordinate the complex recovery process. Progent knows the urgency of acting quickly and in unison with a customerís management and Information Technology team members to prioritize tasks and to get key applications back on-line as soon as possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A customer contacted Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state sponsored hackers, possibly using technology leaked from Americaís NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is one of the most profitable examples of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in Chicago with around 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and praying for good luck, but in the end called Progent.


"I canít tell you enough in regards to the expertise Progent provided us throughout the most stressful time of (our) businesses life. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent experts gave us. The fact that you were able to get our e-mail and important applications back sooner than one week was amazing. Every single person I worked with or messaged at Progent was totally committed on getting us working again and was working 24/7 on our behalf."

Progent worked with the client to quickly get our arms around and prioritize the critical areas that needed to be addressed to make it possible to restart company operations:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To get going, Progent adhered to ransomware penetration mitigation industry best practices by isolating and clearing infected systems. Progent then began the steps of bringing back online Windows Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Exchange email will not work without Windows AD, and the businessesí MRP system used SQL Server, which needs Active Directory services for security authorization to the database.

In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery of essential servers. All Microsoft Exchange Server data and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate intact OST files (Outlook Off-Line Folder Files) on various PCs in order to recover email messages. A recent offline backup of the businesses financials/ERP systems made it possible to return these vital programs back available to users. Although significant work needed to be completed to recover totally from the Ryuk attack, the most important services were restored rapidly:


"For the most part, the production operation survived unscathed and we delivered all customer orders."

Over the following few weeks key milestones in the restoration project were completed through tight cooperation between Progent consultants and the customer:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control modules were 100% restored.
  • A new Palo Alto Networks 850 firewall was deployed.
  • 90% of the user desktops and notebooks were fully operational.

"Much of what transpired in the early hours is nearly entirely a fog for me, but I will not forget the countless hours each of your team accomplished to help get our company back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A probable business extinction catastrophe was dodged with hard-working professionals, a wide array of IT skills, and tight teamwork. Although upon completion of forensics the ransomware penetration detailed here would have been prevented with up-to-date cyber security technology solutions and ISO/IEC 27001 best practices, user and IT administrator education, and properly executed incident response procedures for information protection and applying software patches, the reality is that government-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get some sleep after we got past the most critical parts. Everyone did an amazing effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Pasadena a variety of remote monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize modern machine learning technology to detect zero-day strains of ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the entire threat progression including blocking, detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you prove compliance with legal and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require urgent attention. Progent's consultants can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly price, ProSight DPS automates your backup activities and allows fast restoration of critical data, apps and virtual machines that have become lost or corrupted due to component breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's backup and recovery consultants can provide advanced support to set up ProSight DPS to to comply with government and industry regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, when needed, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to deliver centralized control and comprehensive protection for your email traffic. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway device adds a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, monitor, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, finding devices that require important updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT management personnel and your assigned Progent consultant so that all looming problems can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24/7/365 Pasadena CryptoLocker Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.