Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still cause havoc. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Nephilim, as well as additional as yet unnamed viruses, not only encrypt on-line data but also infiltrate most configured system protection. Files synched to cloud environments can also be rendered useless. In a poorly architected environment, it can render automated recovery useless and effectively sets the network back to square one.

Getting back programs and data following a ransomware intrusion becomes a sprint against time as the victim fights to contain the damage and remove the crypto-ransomware and to resume business-critical operations. Since crypto-ransomware requires time to spread, penetrations are usually launched during nights and weekends, when attacks tend to take longer to detect. This multiplies the difficulty of rapidly assembling and orchestrating an experienced mitigation team.

Progent provides a range of solutions for securing businesses from ransomware attacks. These include team member training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with machine learning capabilities to intelligently discover and quarantine day-zero cyber attacks. Progent in addition provides the services of seasoned crypto-ransomware recovery professionals with the track record and perseverance to restore a breached network as urgently as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the codes to decipher any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to piece back together the key parts of your IT environment. Without access to essential data backups, this requires a wide range of skill sets, well-coordinated project management, and the ability to work 24x7 until the job is done.

For twenty years, Progent has provided certified expert IT services for companies in Fremont and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise gives Progent the ability to efficiently understand critical systems and re-organize the surviving components of your Information Technology system after a ransomware penetration and assemble them into an operational network.

Progent's ransomware group deploys state-of-the-art project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of working quickly and in concert with a customerís management and Information Technology staff to prioritize tasks and to get the most important systems back on line as fast as possible.

Case Study: A Successful Ransomware Virus Response
A business escalated to Progent after their organization was taken over by Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored hackers, possibly using techniques exposed from Americaís National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is among the most lucrative examples of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area with around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the attack and were destroyed. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.


"I cannot speak enough in regards to the expertise Progent provided us throughout the most fearful time of (our) businesses life. We would have paid the hackers behind this attack if not for the confidence the Progent experts afforded us. That you could get our e-mail system and key applications back sooner than five days was incredible. Every single expert I worked with or texted at Progent was amazingly focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked together with the client to rapidly determine and assign priority to the key elements that needed to be restored to make it possible to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping the spread and clearing infected systems. Progent then began the work of restoring Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without AD, and the customerís financials and MRP software used Microsoft SQL Server, which depends on Active Directory services for security authorization to the information.

In less than two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of needed systems. All Exchange data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover mail data. A not too old offline backup of the client's accounting/ERP systems made them able to return these vital programs back on-line. Although major work remained to recover fully from the Ryuk damage, the most important systems were recovered rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."

Throughout the following couple of weeks important milestones in the recovery project were completed in tight cooperation between Progent team members and the customer:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Server exceeding four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"Much of what happened that first week is nearly entirely a haze for me, but my team will not soon forget the dedication each of you accomplished to help get our company back. I have been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business disaster was averted with dedicated professionals, a broad range of technical expertise, and close collaboration. Although in hindsight the ransomware attack described here would have been disabled with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out security procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for making it so I could get rested after we made it over the initial push. Everyone did an impressive effort, and if anyone is in the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Fremont a range of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include next-generation machine learning capability to uncover new strains of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist you to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates and monitors your backup activities and enables rapid restoration of critical data, apps and VMs that have become lost or corrupted due to hardware failures, software bugs, disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can provide world-class expertise to set up ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to provide centralized control and comprehensive security for your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of inspection for incoming email. For outbound email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, monitor, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating complex management and troubleshooting activities, WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating appliances that need important updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT staff and your Progent engineering consultant so any looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Fremont Crypto Repair Help, call Progent at 800-462-8800 or go to Contact Progent.