Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, as well as additional as yet unnamed malware, not only do encryption of online information but also infect any available system backup. Information synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can make any recovery useless and effectively knocks the network back to square one.

Restoring applications and information after a ransomware intrusion becomes a race against time as the targeted organization struggles to stop lateral movement and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware requires time to spread, assaults are often launched at night, when attacks are likely to take longer to recognize. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable response team.

Progent provides a range of services for securing organizations from ransomware penetrations. These include user education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security solutions with AI capabilities to intelligently discover and extinguish zero-day cyber attacks. Progent in addition provides the services of veteran ransomware recovery consultants with the skills and perseverance to restore a compromised system as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, sending the ransom in cryptocurrency does not guarantee that merciless criminals will return the codes to decrypt all your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the critical elements of your Information Technology environment. Without access to essential data backups, this calls for a broad complement of skill sets, top notch project management, and the ability to work 24x7 until the job is over.

For twenty years, Progent has offered expert Information Technology services for businesses in Huntington Beach and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise affords Progent the skills to rapidly determine critical systems and integrate the remaining pieces of your network system after a ransomware penetration and configure them into an operational system.

Progent's ransomware group uses best of breed project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in unison with a client's management and Information Technology team members to prioritize tasks and to get essential services back on-line as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Incident Recovery
A client sought out Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state hackers, suspected of using algorithms leaked from the U.S. National Security Agency. Ryuk targets specific companies with little or no room for disruption and is one of the most lucrative incarnations of ransomware malware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end brought in Progent.


"I canít speak enough about the care Progent gave us throughout the most fearful time of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent experts afforded us. That you could get our messaging and important applications back online quicker than a week was beyond my wildest dreams. Every single consultant I worked with or communicated with at Progent was absolutely committed on getting my company operational and was working all day and night to bail us out."

Progent worked with the client to quickly identify and prioritize the key services that needed to be restored in order to continue business operations:

  • Active Directory
  • Electronic Messaging
  • MRP System
To start, Progent followed Anti-virus penetration mitigation best practices by stopping the spread and clearing infected systems. Progent then started the steps of rebuilding Microsoft AD, the heart of enterprise networks built on Microsoft technology. Exchange messaging will not operate without Windows AD, and the customerís financials and MRP system used Microsoft SQL Server, which requires Windows AD for security authorization to the information.

Within 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery of the most important servers. All Exchange schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on team PCs to recover mail messages. A recent offline backup of the customerís manufacturing systems made it possible to return these required applications back online for users. Although major work still had to be done to recover completely from the Ryuk event, essential systems were recovered quickly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer orders."

During the next couple of weeks key milestones in the recovery project were achieved in close cooperation between Progent team members and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100% operational.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the desktops and laptops were fully operational.

"A lot of what was accomplished those first few days is mostly a blur for me, but we will not forget the care each of the team accomplished to help get our business back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A possible business catastrophe was evaded by hard-working professionals, a wide array of IT skills, and close collaboration. Although in retrospect the ransomware attack described here should have been blocked with current cyber security systems and best practices, user and IT administrator training, and well designed incident response procedures for data backup and applying software patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we got through the most critical parts. All of you did an fabulous job, and if anyone that helped is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Huntington Beach a portfolio of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to uncover zero-day variants of crypto-ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to address the entire threat progression including protection, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering via cutting-edge tools packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you prove compliance with legal and industry data security regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates your backup processes and allows rapid recovery of vital files, applications and VMs that have become lost or corrupted as a result of hardware breakdowns, software bugs, disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's backup and recovery specialists can deliver world-class expertise to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based management and comprehensive protection for your email traffic. The powerful structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of inspection for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, enhance and troubleshoot their networking hardware such as routers and switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming management activities, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding appliances that need important updates, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your Progent consultant so all looming problems can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Learn more about ProSight IT Asset Management service.
For 24x7 Huntington Beach Ransomware Repair Consulting, contact Progent at 800-993-9400 or go to Contact Progent.