Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsRansomware has become an escalating cyber pandemic that poses an existential threat for organizations unprepared for an attack. Multiple generations of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict damage. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as more as yet unnamed newcomers, not only do encryption of online files but also infect most accessible system backup. Data synchronized to cloud environments can also be ransomed. In a poorly architected system, this can render automatic restoration hopeless and basically knocks the network back to square one.

Restoring applications and data after a ransomware attack becomes a race against the clock as the targeted organization tries its best to contain the damage and cleanup the virus and to restore mission-critical activity. Because ransomware requires time to replicate, attacks are frequently sprung on weekends and holidays, when attacks in many cases take longer to notice. This multiplies the difficulty of quickly mobilizing and coordinating an experienced mitigation team.

Progent provides an assortment of help services for securing enterprises from crypto-ransomware penetrations. Among these are staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security appliances with artificial intelligence capabilities to intelligently discover and suppress day-zero cyber attacks. Progent in addition offers the services of experienced ransomware recovery professionals with the skills and commitment to rebuild a breached environment as soon as possible.

Progent's Ransomware Recovery Help
Following a ransomware event, paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the codes to decrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the key elements of your Information Technology environment. Absent the availability of full data backups, this calls for a wide complement of skills, top notch team management, and the capability to work 24x7 until the job is completed.

For decades, Progent has made available expert IT services for businesses in Riverside and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience affords Progent the ability to knowledgably ascertain critical systems and organize the surviving parts of your computer network environment following a ransomware event and assemble them into an operational system.

Progent's ransomware group uses best of breed project management tools to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put critical systems back on-line as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A client hired Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state sponsored criminal gangs, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk goes after specific organizations with limited ability to sustain disruption and is among the most profitable versions of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (more than $200K) and wishfully thinking for the best, but in the end called Progent.


"I canít say enough about the care Progent provided us during the most critical period of (our) companyís survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent experts gave us. That you were able to get our messaging and critical applications back into operation quicker than a week was beyond my wildest dreams. Each person I talked with or texted at Progent was amazingly focused on getting us restored and was working non-stop on our behalf."

Progent worked together with the client to rapidly identify and assign priority to the critical areas that needed to be restored in order to resume departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus incident mitigation industry best practices by halting the spread and disinfecting systems. Progent then initiated the process of bringing back online Microsoft AD, the heart of enterprise environments built upon Microsoft Windows technology. Exchange email will not work without Windows AD, and the businessesí financials and MRP software utilized Microsoft SQL, which needs Windows AD for access to the data.

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then accomplished reinstallations and storage recovery of needed applications. All Microsoft Exchange Server data and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Data Files) on staff PCs to recover email data. A recent off-line backup of the businesses financials/MRP software made it possible to restore these vital services back available to users. Although major work needed to be completed to recover fully from the Ryuk attack, core systems were restored rapidly:


"For the most part, the production line operation survived unscathed and we did not miss any customer sales."

Throughout the following few weeks key milestones in the recovery process were achieved through tight collaboration between Progent engineers and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Ninety percent of the user desktops were fully operational.

"A huge amount of what happened during the initial response is mostly a haze for me, but my team will not forget the countless hours all of you accomplished to give us our company back. I have entrusted Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered. This situation was a life saver."

Conclusion
A likely business-ending catastrophe was evaded through the efforts of top-tier professionals, a wide range of IT skills, and tight collaboration. Although in retrospect the crypto-ransomware virus penetration described here would have been shut down with current cyber security systems and security best practices, user education, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), Iím grateful for making it so I could get rested after we made it past the first week. Everyone did an incredible effort, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Riverside a portfolio of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate modern machine learning capability to detect new variants of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with government and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates your backup processes and enables fast restoration of vital files, applications and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's backup and recovery consultants can deliver advanced support to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to recover your critical information. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to provide web-based management and comprehensive security for your inbound and outbound email. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further level of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and load balancers plus servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are discovered. By automating complex network management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, locating appliances that need critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management staff and your Progent engineering consultant so all looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect data about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate up to half of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For Riverside 24-Hour Crypto-Ransomware Cleanup Support Services, call Progent at 800-993-9400 or go to Contact Progent.