Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses vulnerable to an assault. Multiple generations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still inflict destruction. Newer versions of ransomware such as Ryuk and Hermes, plus additional unnamed malware, not only do encryption of on-line critical data but also infiltrate all available system restores and backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, this can make automated recovery hopeless and basically knocks the entire system back to zero.

Getting back online applications and information following a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop the spread and eradicate the ransomware and to resume mission-critical activity. Because ransomware requires time to spread, penetrations are usually sprung during nights and weekends, when successful penetrations typically take more time to recognize. This multiplies the difficulty of quickly assembling and orchestrating an experienced response team.

Progent offers a range of support services for securing organizations from ransomware attacks. These include team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with AI capabilities to intelligently discover and suppress new cyber threats. Progent also provides the assistance of experienced crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware event, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the needed codes to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the essential components of your Information Technology environment. Absent the availability of full information backups, this requires a broad range of IT skills, well-coordinated team management, and the willingness to work continuously until the job is done.

For two decades, Progent has made available expert IT services for businesses in Sherman Oaks and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently identify necessary systems and organize the remaining pieces of your computer network system following a crypto-ransomware attack and rebuild them into an operational system.

Progent's security group uses top notch project management systems to coordinate the complicated restoration process. Progent understands the importance of acting swiftly and in concert with a customerís management and IT team members to prioritize tasks and to put critical services back online as fast as possible.

Customer Case Study: A Successful Ransomware Intrusion Recovery
A customer escalated to Progent after their network system was penetrated by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state cybercriminals, suspected of using strategies leaked from Americaís National Security Agency. Ryuk attacks specific organizations with little or no ability to sustain disruption and is among the most lucrative examples of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area with about 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. Most of the client's data backups had been online at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for good luck, but ultimately brought in Progent.


"I cannot say enough about the support Progent gave us during the most fearful period of (our) businesses life. We would have paid the criminal gangs if not for the confidence the Progent group afforded us. The fact that you could get our e-mail system and essential applications back into operation in less than seven days was beyond my wildest dreams. Each person I spoke to or messaged at Progent was amazingly focused on getting us back on-line and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly assess and prioritize the critical elements that had to be addressed to make it possible to continue departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware incident response best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the task of restoring Windows Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Active Directory, and the client's accounting and MRP system used Microsoft SQL, which requires Active Directory for authentication to the information.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then initiated reinstallations and hard drive recovery on critical applications. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find local OST data files (Outlook Offline Data Files) on various desktop computers to recover email data. A not too old off-line backup of the customerís manufacturing systems made it possible to return these required applications back online. Although major work still had to be done to recover fully from the Ryuk attack, essential systems were recovered quickly:


"For the most part, the production line operation never missed a beat and we produced all customer shipments."

Over the next few weeks important milestones in the restoration project were achieved through close collaboration between Progent team members and the client:

  • Self-hosted web sites were returned to operation with no loss of data.
  • The MailStore Server containing more than four million historical messages was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were fully functional.
  • A new Palo Alto 850 firewall was installed and configured.
  • Ninety percent of the desktop computers were functioning as before the incident.

"A huge amount of what was accomplished during the initial response is mostly a haze for me, but our team will not forget the commitment each of your team put in to give us our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This time was a stunning achievement."

Conclusion
A potential business-killing catastrophe was dodged due to results-oriented professionals, a wide range of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware attack described here should have been shut down with advanced security technology and recognized best practices, staff education, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has proven experience in crypto-ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get some sleep after we made it past the most critical parts. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Sherman Oaks a range of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern machine learning technology to detect new variants of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the complete malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your company's unique requirements and that helps you prove compliance with legal and industry information security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates your backup processes and enables rapid restoration of vital data, apps and virtual machines that have become lost or corrupted due to hardware failures, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can provide advanced expertise to configure ProSight Data Protection Services to be compliant with government and industry regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further level of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, track, enhance and troubleshoot their connectivity appliances such as routers, firewalls, and access points plus servers, printers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are kept current, captures and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating tedious network management activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, finding devices that require important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that all potential problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Learn more about ProSight IT Asset Management service.
For 24x7x365 Sherman Oaks Crypto Removal Experts, call Progent at 800-993-9400 or go to Contact Progent.