Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that poses an extinction-level danger for organizations vulnerable to an attack. Different versions of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause havoc. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with additional unnamed newcomers, not only do encryption of on-line information but also infiltrate all accessible system restores and backups. Data synched to off-site disaster recovery sites can also be encrypted. In a vulnerable system, this can make automated restore operations useless and basically sets the network back to square one.

Restoring services and information after a ransomware intrusion becomes a race against time as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to move laterally, attacks are frequently launched on weekends, when attacks typically take longer to discover. This compounds the difficulty of quickly mobilizing and coordinating a capable response team.

Progent offers an assortment of support services for protecting businesses from crypto-ransomware events. Among these are staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence capabilities to rapidly identify and extinguish zero-day cyber threats. Progent also can provide the services of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware attack, sending the ransom in cryptocurrency does not guarantee that cyber criminals will provide the codes to decipher any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to piece back together the vital parts of your Information Technology environment. Absent access to essential system backups, this calls for a broad range of skills, well-coordinated project management, and the willingness to work non-stop until the job is over.

For decades, Progent has made available certified expert IT services for businesses in Hayward and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise provides Progent the skills to quickly determine important systems and organize the surviving pieces of your computer network environment following a ransomware event and assemble them into an operational system.

Progent's recovery team of experts utilizes powerful project management tools to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and in unison with a customerís management and Information Technology team members to prioritize tasks and to put critical systems back on-line as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A client hired Progent after their network was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean state criminal gangs, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk targets specific businesses with little ability to sustain operational disruption and is one of the most lucrative examples of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's information backups had been online at the time of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and praying for good luck, but ultimately made the decision to use Progent.


"I canít thank you enough about the help Progent gave us throughout the most fearful period of (our) companyís survival. We most likely would have paid the cyber criminals if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and important servers back into operation faster than one week was incredible. Every single staff member I interacted with or texted at Progent was laser focused on getting us back online and was working 24 by 7 on our behalf."

Progent worked together with the customer to quickly determine and prioritize the key elements that needed to be addressed to make it possible to continue company operations:

  • Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent adhered to ransomware penetration mitigation best practices by isolating and cleaning up infected systems. Progent then began the work of bringing back online Windows Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange email will not function without Windows AD, and the businessesí accounting and MRP system utilized SQL Server, which needs Active Directory services for authentication to the database.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and storage recovery on essential servers. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST data files (Outlook Email Off-Line Folder Files) on user PCs and laptops to recover mail information. A recent off-line backup of the businesses financials/MRP software made it possible to return these required services back online for users. Although a large amount of work remained to recover totally from the Ryuk damage, core systems were returned to operations quickly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer sales."

Over the following couple of weeks key milestones in the restoration project were completed through close cooperation between Progent team members and the customer:

  • In-house web applications were brought back up without losing any data.
  • The MailStore Server with over 4 million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were 100% restored.
  • A new Palo Alto 850 firewall was installed.
  • Ninety percent of the user workstations were operational.

"A lot of what happened that first week is nearly entirely a haze for me, but my team will not forget the dedication each of your team accomplished to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A potential business extinction catastrophe was evaded by results-oriented experts, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the ransomware virus incident described here could have been identified and blocked with modern cyber security technology and best practices, staff education, and well thought out incident response procedures for backup and applying software patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get some sleep after we made it over the first week. All of you did an amazing effort, and if anyone is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Hayward a portfolio of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to manage the complete malware attack progression including protection, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent attention. Progent can also help your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost and fully managed solution for reliable backup/disaster recovery. Available at a fixed monthly rate, ProSight DPS automates your backup processes and allows rapid recovery of vital data, apps and VMs that have become unavailable or corrupted as a result of hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when necessary, can assist you to recover your critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to deliver centralized control and comprehensive protection for your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the local security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration information of almost all devices on your network, monitors performance, and sends notices when issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding appliances that need critical software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so that all potential issues can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Hayward Crypto-Ransomware Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.