Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that poses an existential danger for organizations poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to cause harm. Recent versions of ransomware such as Ryuk and Hermes, plus daily unnamed newcomers, not only encrypt on-line data files but also infect any available system protection. Information replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, it can render any restoration impossible and effectively knocks the network back to zero.

Getting back on-line applications and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted business fights to contain the damage and remove the ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware needs time to spread, attacks are usually sprung on weekends, when penetrations are likely to take longer to notice. This compounds the difficulty of promptly marshalling and coordinating a capable mitigation team.

Progent offers an assortment of solutions for securing enterprises from crypto-ransomware attacks. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security gateways with artificial intelligence technology to rapidly detect and suppress new threats. Progent in addition provides the assistance of seasoned crypto-ransomware recovery consultants with the skills and commitment to reconstruct a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Help
After a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the critical parts of your Information Technology environment. Without the availability of essential data backups, this requires a broad complement of skills, well-coordinated project management, and the capability to work 24x7 until the job is over.

For decades, Progent has made available certified expert IT services for businesses in Fremont and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience gives Progent the ability to efficiently determine necessary systems and organize the surviving pieces of your network system after a ransomware event and rebuild them into a functioning network.

Progent's security group uses best of breed project management applications to coordinate the sophisticated recovery process. Progent understands the importance of working quickly and together with a client's management and Information Technology team members to prioritize tasks and to get the most important systems back online as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer hired Progent after their organization was brought down by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state hackers, suspected of using technology exposed from the United States NSA organization. Ryuk attacks specific organizations with little tolerance for disruption and is one of the most profitable iterations of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has about 500 employees. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's backups had been on-line at the beginning of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end called Progent.


"I canít thank you enough in regards to the care Progent provided us during the most critical time of (our) businesses life. We would have paid the hackers behind this attack if not for the confidence the Progent experts provided us. That you were able to get our messaging and key applications back on-line quicker than a week was incredible. Each consultant I worked with or texted at Progent was totally committed on getting my company operational and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly identify and assign priority to the essential elements that had to be restored in order to continue departmental operations:

  • Microsoft Active Directory
  • Email
  • Accounting/MRP
To start, Progent adhered to AV/Malware Processes incident response industry best practices by stopping the spread and performing virus removal steps. Progent then started the steps of bringing back online Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which needs Windows AD for authentication to the information.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery on essential applications. All Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Off-Line Folder Files) on team desktop computers and laptops to recover mail information. A not too old off-line backup of the client's accounting systems made it possible to restore these essential services back on-line. Although major work was left to recover completely from the Ryuk virus, essential systems were returned to operations quickly:


"For the most part, the assembly line operation never missed a beat and we made all customer shipments."

Over the following few weeks key milestones in the recovery process were achieved in tight collaboration between Progent engineers and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory modules were completely functional.
  • A new Palo Alto 850 firewall was deployed.
  • Ninety percent of the user PCs were fully operational.

"So much of what occurred those first few days is nearly entirely a haze for me, but my management will not soon forget the care each of your team accomplished to help get our business back. I have been working with Progent for the past ten years, possibly more, and every time I needed help Progent has shined and delivered as promised. This event was a life saver."

Conclusion
A possible business extinction catastrophe was dodged with results-oriented experts, a broad array of IT skills, and close collaboration. Although in retrospect the ransomware virus incident described here should have been prevented with advanced security technology solutions and ISO/IEC 27001 best practices, user education, and well thought out incident response procedures for information backup and applying software patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), Iím grateful for letting me get rested after we made it over the most critical parts. Everyone did an incredible job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Fremont a range of online monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence technology to detect new variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and provides a single platform to automate the complete threat progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within one agent managed from a single console. Progent's security and virtualization experts can help you to plan and implement a ProSight ESP environment that meets your company's specific needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent's consultants can also assist your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows fast restoration of critical data, applications and VMs that have become lost or corrupted due to hardware failures, software bugs, disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide advanced support to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security companies to provide centralized control and world-class security for all your inbound and outbound email. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite gateway device provides a further layer of inspection for incoming email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, track, reconfigure and debug their networking hardware such as switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of almost all devices on your network, tracks performance, and sends notices when issues are discovered. By automating complex network management activities, ProSight WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, locating appliances that require important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so that any potential issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
For Fremont 24x7x365 Crypto Repair Services, call Progent at 800-993-9400 or go to Contact Progent.