Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent unnamed malware, not only encrypt online files but also infiltrate all configured system backup. Files synched to off-site disaster recovery sites can also be corrupted. In a vulnerable environment, it can render automated restoration useless and effectively knocks the network back to square one.

Getting back services and information following a crypto-ransomware event becomes a sprint against the clock as the targeted business struggles to contain and eradicate the ransomware and to resume business-critical operations. Since ransomware takes time to replicate, assaults are usually launched on weekends, when penetrations typically take longer to uncover. This multiplies the difficulty of quickly assembling and orchestrating an experienced mitigation team.

Progent offers a variety of support services for protecting businesses from ransomware penetrations. These include user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security appliances with artificial intelligence technology to rapidly discover and extinguish day-zero cyber attacks. Progent also provides the services of veteran ransomware recovery professionals with the track record and perseverance to re-deploy a breached network as urgently as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that criminal gangs will respond with the codes to decrypt all your files. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the key components of your IT environment. Absent the availability of full information backups, this requires a broad complement of skill sets, professional project management, and the capability to work non-stop until the task is completed.

For decades, Progent has made available expert Information Technology services for companies in Fremont and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to rapidly determine necessary systems and re-organize the surviving parts of your IT system following a crypto-ransomware event and configure them into a functioning network.

Progent's ransomware team deploys powerful project management applications to coordinate the complicated recovery process. Progent knows the urgency of acting rapidly and in concert with a customerís management and IT staff to prioritize tasks and to get the most important applications back on-line as fast as possible.

Customer Case Study: A Successful Ransomware Incident Restoration
A client contacted Progent after their company was crashed by Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state cybercriminals, possibly adopting techniques leaked from the United States National Security Agency. Ryuk targets specific companies with limited tolerance for disruption and is among the most profitable incarnations of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area with about 500 workers. The Ryuk event had shut down all business operations and manufacturing processes. The majority of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but ultimately utilized Progent.


"I cannot thank you enough about the care Progent provided us throughout the most stressful time of (our) companyís existence. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts gave us. The fact that you could get our e-mail and production servers back sooner than five days was amazing. Each expert I interacted with or communicated with at Progent was hell bent on getting us back on-line and was working 24/7 to bail us out."

Progent worked hand in hand the client to rapidly assess and assign priority to the most important systems that needed to be addressed to make it possible to resume departmental functions:

  • Windows Active Directory
  • Email
  • Financials/MRP
To start, Progent followed Anti-virus incident response best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the steps of restoring Microsoft AD, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the customerís financials and MRP software leveraged Microsoft SQL, which requires Active Directory for authentication to the information.

Within two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and hard drive recovery of critical servers. All Exchange schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Data Files) on user desktop computers to recover mail messages. A recent offline backup of the customerís accounting/ERP software made it possible to restore these vital services back on-line. Although a lot of work still had to be done to recover fully from the Ryuk event, critical systems were restored rapidly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer orders."

Throughout the following few weeks critical milestones in the restoration process were achieved through tight cooperation between Progent team members and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory modules were fully restored.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"Much of what occurred in the initial days is mostly a fog for me, but we will not forget the dedication all of you accomplished to give us our business back. I have been working with Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A likely business catastrophe was evaded by hard-working experts, a broad array of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus penetration detailed here should have been prevented with modern security technology solutions and best practices, team training, and well designed incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get some sleep after we got over the first week. Everyone did an amazing job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Fremont a portfolio of online monitoring and security assessment services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include modern artificial intelligence capability to uncover zero-day strains of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to automate the entire malware attack progression including blocking, detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies packaged within one agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist your company to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost end-to-end service for reliable backup/disaster recovery (BDR). Available at a low monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows rapid recovery of critical files, apps and VMs that have become lost or damaged due to hardware breakdowns, software glitches, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can deliver advanced support to set up ProSight DPS to be compliant with regulatory requirements like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can assist you to restore your business-critical information. Learn more about ProSight DPS Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security companies to deliver centralized management and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, reconfigure and troubleshoot their networking appliances such as routers, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are discovered. By automating complex management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating devices that need important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system operating at peak levels by checking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT personnel and your Progent consultant so all looming problems can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24/7/365 Fremont Ransomware Repair Services, contact Progent at 800-993-9400 or go to Contact Progent.