Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an extinction-level danger for organizations unprepared for an attack. Different iterations of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause damage. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Nephilim, plus more as yet unnamed viruses, not only do encryption of on-line information but also infect many available system restores and backups. Files synched to the cloud can also be corrupted. In a poorly designed system, it can make any recovery hopeless and basically knocks the network back to square one.

Getting back on-line services and data after a ransomware event becomes a race against the clock as the targeted organization tries its best to contain and clear the ransomware and to restore mission-critical operations. Due to the fact that ransomware requires time to spread, assaults are usually sprung at night, when penetrations may take longer to notice. This compounds the difficulty of quickly assembling and organizing a capable response team.

Progent makes available a variety of services for securing businesses from ransomware penetrations. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with artificial intelligence capabilities to automatically discover and quarantine zero-day threats. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to restore a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will return the codes to decrypt any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to re-install the critical components of your Information Technology environment. Absent the availability of complete data backups, this requires a wide complement of skill sets, professional team management, and the capability to work non-stop until the job is done.

For twenty years, Progent has offered professional Information Technology services for businesses in Hayward and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise provides Progent the ability to knowledgably understand necessary systems and re-organize the surviving pieces of your network system after a crypto-ransomware event and rebuild them into a functioning system.

Progent's ransomware team of experts has state-of-the-art project management tools to orchestrate the complex recovery process. Progent knows the urgency of acting swiftly and in concert with a customerís management and Information Technology resources to prioritize tasks and to put essential applications back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Penetration Response
A customer escalated to Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state cybercriminals, suspected of using approaches exposed from the U.S. NSA organization. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most profitable iterations of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom (exceeding $200K) and praying for good luck, but ultimately brought in Progent.


"I cannot say enough in regards to the support Progent gave us during the most fearful period of (our) businesses survival. We would have paid the hackers behind this attack except for the confidence the Progent experts afforded us. That you could get our e-mail system and essential applications back on-line in less than five days was earth shattering. Each expert I spoke to or e-mailed at Progent was totally committed on getting our company operational and was working all day and night on our behalf."

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the most important applications that needed to be recovered in order to resume company operations:

  • Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent followed ransomware penetration mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the work of recovering Windows Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Exchange email will not work without Windows AD, and the customerís accounting and MRP software utilized SQL Server, which requires Active Directory for security authorization to the database.

Within 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery on mission critical applications. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on team workstations and laptops in order to recover mail information. A not too old offline backup of the businesses manufacturing software made them able to restore these vital services back online for users. Although significant work remained to recover fully from the Ryuk event, essential services were recovered rapidly:


"For the most part, the production manufacturing operation was never shut down and we delivered all customer sales."

During the next month important milestones in the restoration process were accomplished through tight cooperation between Progent consultants and the client:

  • Self-hosted web sites were brought back up without losing any information.
  • The MailStore Server containing more than 4 million archived messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control functions were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Most of the user PCs were being used by staff.

"A huge amount of what was accomplished in the initial days is nearly entirely a fog for me, but my team will not soon forget the dedication each of your team put in to give us our business back. Iíve utilized Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A likely company-ending catastrophe was averted due to dedicated experts, a broad array of knowledge, and tight teamwork. Although in retrospect the crypto-ransomware attack described here could have been shut down with modern security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for backup and proper patching controls, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we made it past the first week. All of you did an incredible job, and if any of your team is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Hayward a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation AI capability to uncover new strains of crypto-ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to automate the complete malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with government and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized businesses a low cost end-to-end service for secure backup/disaster recovery. Available at a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup activities and enables rapid restoration of vital files, apps and VMs that have become unavailable or damaged as a result of hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to a local device, or to both. Progent's BDR consultants can deliver advanced support to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, and PCI and, when necessary, can help you to restore your business-critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to provide centralized management and world-class protection for all your inbound and outbound email. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and access points plus servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, copies and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding devices that need important updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your network running at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT personnel and your assigned Progent consultant so all looming issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted searching for critical information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Read more about ProSight IT Asset Management service.
For 24-Hour Hayward CryptoLocker Recovery Support Services, call Progent at 800-993-9400 or go to Contact Progent.