Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an enterprise-level danger for organizations poorly prepared for an assault. Different versions of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for many years and still inflict havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more as yet unnamed viruses, not only encrypt on-line critical data but also infect all configured system restores and backups. Information synched to the cloud can also be corrupted. In a poorly architected system, this can make automated restore operations useless and effectively sets the network back to square one.

Recovering applications and data after a ransomware outage becomes a race against time as the targeted business struggles to stop the spread and eradicate the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that crypto-ransomware needs time to replicate, penetrations are usually launched at night, when penetrations typically take longer to recognize. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.

Progent offers a range of support services for protecting enterprises from crypto-ransomware events. Among these are team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with artificial intelligence capabilities from SentinelOne to discover and suppress zero-day cyber attacks automatically. Progent in addition can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to rebuild a compromised system as soon as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to unencrypt all your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the key elements of your Information Technology environment. Without the availability of essential data backups, this requires a broad complement of IT skills, top notch project management, and the willingness to work 24x7 until the recovery project is done.

For twenty years, Progent has offered expert Information Technology services for companies in Riverside and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience affords Progent the capability to efficiently ascertain necessary systems and consolidate the surviving parts of your Information Technology system following a ransomware event and configure them into a functioning network.

Progent's ransomware team of experts has state-of-the-art project management applications to orchestrate the complicated restoration process. Progent knows the importance of working swiftly and in unison with a customer�s management and IT team members to assign priority to tasks and to get the most important services back on line as soon as possible.

Customer Story: A Successful Ransomware Penetration Recovery
A client contacted Progent after their network system was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, suspected of using techniques leaked from America�s NSA organization. Ryuk goes after specific companies with little or no room for operational disruption and is among the most lucrative incarnations of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with around 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but ultimately brought in Progent.


"I can�t thank you enough in regards to the care Progent gave us during the most critical time of (our) company�s survival. We had little choice but to pay the Hackers except for the confidence the Progent team provided us. The fact that you were able to get our e-mail and key servers back faster than five days was beyond my wildest dreams. Each staff member I interacted with or e-mailed at Progent was absolutely committed on getting us operational and was working non-stop to bail us out."

Progent worked hand in hand the client to quickly assess and assign priority to the critical areas that needed to be restored to make it possible to restart business functions:

  • Active Directory (AD)
  • E-Mail
  • Financials/MRP
To begin, Progent adhered to ransomware event mitigation best practices by halting lateral movement and disinfecting systems. Progent then initiated the work of restoring Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businesses� MRP applications used SQL Server, which needs Windows AD for security authorization to the database.

Within two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then performed setup and hard drive recovery on critical applications. All Exchange data and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Folder Files) on staff PCs to recover email data. A recent offline backup of the customer�s manufacturing software made them able to return these vital services back online. Although a lot of work remained to recover totally from the Ryuk attack, the most important services were recovered quickly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer shipments."

During the following few weeks critical milestones in the restoration project were accomplished through close cooperation between Progent team members and the customer:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Server exceeding four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory modules were completely operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Most of the desktops and laptops were back into operation.

"A lot of what was accomplished during the initial response is mostly a fog for me, but our team will not soon forget the care all of your team put in to give us our business back. I have utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This situation was the most impressive ever."

Conclusion
A possible enterprise-killing catastrophe was dodged with hard-working experts, a broad range of IT skills, and tight collaboration. Although in post mortem the ransomware virus incident detailed here should have been shut down with advanced cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out security procedures for backup and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), I�m grateful for allowing me to get some sleep after we got past the most critical parts. All of you did an incredible job, and if any of your team is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Riverside a range of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services incorporate next-generation machine learning technology to uncover new strains of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade legacy signature-based AV products. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services, a selection of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and allow non-disruptive backup and fast recovery of important files, applications, images, and VMs. ProSight DPS helps you avoid data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user error, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to map, monitor, optimize and troubleshoot their connectivity appliances like switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating appliances that need important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your network running efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management personnel and your Progent consultant so that all looming issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning technology to defend endpoints and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud resources and offers a unified platform to automate the entire malware attack progression including protection, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Help Desk services permit your information technology staff to outsource Help Desk services to Progent or split activity for Help Desk services seamlessly between your in-house network support group and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent supplement to your core support staff. End user interaction with the Help Desk, delivery of support, problem escalation, ticket creation and tracking, performance measurement, and management of the support database are cohesive regardless of whether issues are taken care of by your in-house support group, by Progent's team, or both. Learn more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of any size a versatile and cost-effective solution for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the protection and reliability of your IT environment, Progent's software/firmware update management services free up time for your IT team to concentrate on more strategic initiatives and activities that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo enables one-tap identity confirmation on iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a secured application and enter your password you are requested to verify your identity on a device that only you possess and that is accessed using a different network channel. A broad selection of out-of-band devices can be used for this added means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. To learn more about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.
For 24-7 Riverside CryptoLocker Removal Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.