Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that represents an existential threat for organizations vulnerable to an assault. Different iterations of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict havoc. The latest variants of crypto-ransomware such as Ryuk and Hermes, as well as additional as yet unnamed newcomers, not only do encryption of online critical data but also infect most accessible system protection. Information synched to the cloud can also be ransomed. In a vulnerable system, it can render automated restoration impossible and effectively knocks the network back to square one.

Retrieving services and data following a ransomware attack becomes a race against the clock as the victim tries its best to contain and cleanup the ransomware and to resume enterprise-critical operations. Because ransomware takes time to move laterally, penetrations are usually sprung on weekends, when successful penetrations typically take more time to uncover. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent makes available an assortment of solutions for securing enterprises from crypto-ransomware events. Among these are user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence capabilities to intelligently identify and quarantine new cyber attacks. Progent also offers the services of veteran crypto-ransomware recovery consultants with the track record and perseverance to rebuild a compromised network as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the keys to unencrypt any of your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the essential elements of your IT environment. Without the availability of complete system backups, this requires a broad range of skills, professional project management, and the capability to work continuously until the job is done.

For two decades, Progent has provided expert IT services for companies in Sherman Oaks and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the ability to knowledgably determine critical systems and integrate the surviving components of your network environment following a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts deploys powerful project management tools to coordinate the sophisticated recovery process. Progent knows the urgency of acting quickly and in concert with a client's management and IT resources to prioritize tasks and to put the most important systems back on-line as soon as possible.

Case Study: A Successful Ransomware Incident Restoration
A small business hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of using algorithms leaked from Americaís NSA organization. Ryuk attacks specific businesses with little or no room for disruption and is among the most lucrative instances of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk intrusion had disabled all company operations and manufacturing processes. Most of the client's information backups had been directly accessible at the beginning of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.


"I canít thank you enough in regards to the support Progent gave us during the most fearful time of (our) companyís life. We most likely would have paid the hackers behind this attack except for the confidence the Progent group afforded us. The fact that you were able to get our messaging and production servers back online in less than a week was amazing. Each staff member I worked with or communicated with at Progent was absolutely committed on getting us working again and was working 24/7 to bail us out."

Progent worked with the customer to quickly get our arms around and prioritize the critical services that needed to be addressed to make it possible to continue business operations:

  • Active Directory
  • E-Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping the spread and removing active viruses. Progent then began the task of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without AD, and the businessesí accounting and MRP software used Microsoft SQL Server, which requires Active Directory for security authorization to the databases.

In less than 48 hours, Progent was able to restore Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery on key applications. All Microsoft Exchange Server schema and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on various desktop computers in order to recover mail data. A recent offline backup of the customerís financials/MRP systems made it possible to return these essential applications back online. Although a large amount of work remained to recover fully from the Ryuk attack, critical services were recovered quickly:


"For the most part, the production operation did not miss a beat and we delivered all customer shipments."

Throughout the next few weeks important milestones in the recovery process were completed through close collaboration between Progent team members and the customer:

  • Internal web sites were restored without losing any data.
  • The MailStore Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the user desktops were functioning as before the incident.

"Much of what transpired during the initial response is mostly a fog for me, but we will not forget the countless hours each of the team accomplished to give us our business back. I have entrusted Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible company-ending disaster was averted due to hard-working experts, a broad array of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been identified and disabled with modern security technology solutions and recognized best practices, staff education, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), Iím grateful for letting me get some sleep after we made it past the initial fire. Everyone did an amazing effort, and if anyone is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Sherman Oaks a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation AI technology to detect new strains of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes next generation behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the entire malware attack progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge tools packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate attention. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses an affordable and fully managed solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight Data Protection Services automates your backup activities and allows rapid recovery of vital files, apps and VMs that have become unavailable or damaged due to hardware breakdowns, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup consultants can deliver advanced support to set up ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPPA, FIRPA, and PCI and, when needed, can assist you to recover your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to provide web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of inspection for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their connectivity hardware like routers, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating appliances that require critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your network operating at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT staff and your Progent consultant so that any potential problems can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Learn more about ProSight IT Asset Management service.
For Sherman Oaks 24-7 CryptoLocker Recovery Services, contact Progent at 800-993-9400 or go to Contact Progent.