Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ConsultantsRansomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses vulnerable to an assault. Versions of ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict havoc. More recent versions of ransomware such as Ryuk and Hermes, along with additional as yet unnamed viruses, not only do encryption of online information but also infect most accessible system protection mechanisms. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can render automated restoration hopeless and basically knocks the entire system back to square one.

Recovering programs and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted business fights to contain the damage and cleanup the ransomware and to resume enterprise-critical operations. Since ransomware takes time to replicate, penetrations are often launched during nights and weekends, when successful attacks are likely to take more time to uncover. This multiplies the difficulty of rapidly mobilizing and organizing a capable mitigation team.

Progent has a range of solutions for securing organizations from ransomware attacks. These include team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence technology to rapidly identify and disable day-zero cyber attacks. Progent in addition can provide the assistance of experienced crypto-ransomware recovery professionals with the track record and perseverance to re-deploy a breached environment as soon as possible.

Progent's Ransomware Recovery Services
Following a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the keys to unencrypt all your files. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the vital components of your Information Technology environment. Without the availability of complete system backups, this calls for a broad range of IT skills, well-coordinated project management, and the willingness to work 24x7 until the recovery project is complete.

For two decades, Progent has provided expert Information Technology services for businesses in Glendale and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise gives Progent the ability to knowledgably determine critical systems and organize the remaining pieces of your computer network system following a ransomware attack and rebuild them into a functioning network.

Progent's ransomware team uses powerful project management systems to coordinate the complex recovery process. Progent appreciates the urgency of working swiftly and in unison with a customerís management and IT staff to assign priority to tasks and to get essential services back online as fast as possible.

Business Case Study: A Successful Ransomware Incident Restoration
A business escalated to Progent after their network was attacked by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean state criminal gangs, possibly adopting technology exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little or no room for disruption and is one of the most profitable iterations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk intrusion had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the attack and were damaged. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately utilized Progent.


"I canít tell you enough in regards to the care Progent provided us throughout the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts provided us. That you could get our e-mail and key servers back in less than 1 week was amazing. Each staff member I got help from or messaged at Progent was laser focused on getting our system up and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to quickly assess and assign priority to the mission critical elements that had to be addressed in order to resume departmental operations:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To begin, Progent followed AV/Malware Processes incident response industry best practices by halting lateral movement and clearing up compromised systems. Progent then began the work of restoring Microsoft AD, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which depends on Active Directory for authentication to the information.

Within two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of critical applications. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on various PCs to recover mail information. A not too old off-line backup of the businesses accounting/ERP software made it possible to recover these vital applications back online for users. Although significant work was left to recover totally from the Ryuk event, essential systems were restored rapidly:


"For the most part, the manufacturing operation was never shut down and we produced all customer deliverables."

During the following few weeks important milestones in the recovery process were accomplished through close collaboration between Progent engineers and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory capabilities were completely functional.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the user desktops and notebooks were back into operation.

"So much of what happened during the initial response is mostly a fog for me, but I will not soon forget the urgency each and every one of you accomplished to help get our company back. I have been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A possible business extinction disaster was averted due to top-tier professionals, a broad array of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware virus attack detailed here could have been stopped with current cyber security technology and ISO/IEC 27001 best practices, user training, and properly executed incident response procedures for information backup and proper patching controls, the fact is that state-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), Iím grateful for allowing me to get rested after we got past the initial push. All of you did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Glendale a variety of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services incorporate modern AI technology to uncover new strains of crypto-ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to manage the entire threat lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools incorporated within one agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent's consultants can also assist you to set up and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates your backup activities and enables rapid restoration of critical files, apps and virtual machines that have become lost or corrupted as a result of component failures, software glitches, disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to set up ProSight Data Protection Services to to comply with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to restore your business-critical data. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to provide centralized management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and debug their connectivity hardware such as switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always updated, copies and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when problems are detected. By automating time-consuming management processes, WAN Watch can knock hours off common chores like making network diagrams, expanding your network, finding devices that need important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management staff and your assigned Progent consultant so any looming problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youíre planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24/7 Glendale CryptoLocker Repair Experts, reach out to Progent at 800-993-9400 or go to Contact Progent.