Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that poses an extinction-level danger for businesses vulnerable to an assault. Different versions of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and still cause destruction. More recent variants of ransomware such as Ryuk and Hermes, as well as more as yet unnamed newcomers, not only encrypt online critical data but also infiltrate most accessible system backups. Files synchronized to cloud environments can also be ransomed. In a poorly designed data protection solution, it can make automated restoration impossible and basically knocks the network back to square one.

Recovering applications and data after a crypto-ransomware attack becomes a race against the clock as the targeted organization struggles to stop lateral movement and clear the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware needs time to spread, penetrations are usually sprung during nights and weekends, when successful penetrations may take longer to discover. This compounds the difficulty of rapidly mobilizing and orchestrating a qualified response team.

Progent makes available a variety of services for securing businesses from crypto-ransomware attacks. These include team training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with artificial intelligence technology to intelligently discover and extinguish zero-day threats. Progent in addition can provide the services of expert ransomware recovery engineers with the skills and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that cyber criminals will return the needed keys to decipher any of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the vital parts of your Information Technology environment. Absent access to full information backups, this requires a broad complement of IT skills, top notch team management, and the capability to work non-stop until the task is finished.

For two decades, Progent has offered certified expert IT services for companies in Long Beach and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience provides Progent the capability to rapidly ascertain important systems and re-organize the surviving pieces of your computer network system following a ransomware event and configure them into an operational system.

Progent's security team has powerful project management systems to coordinate the complicated recovery process. Progent understands the urgency of working swiftly and together with a client's management and Information Technology team members to prioritize tasks and to get the most important systems back on-line as fast as possible.

Customer Story: A Successful Crypto-Ransomware Penetration Restoration
A client contacted Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored cybercriminals, possibly adopting approaches exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little room for disruption and is among the most profitable incarnations of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the intrusion and were destroyed. The client was evaluating paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I canít thank you enough in regards to the support Progent provided us during the most critical period of (our) companyís survival. We had little choice but to pay the cyber criminals if it wasnít for the confidence the Progent group gave us. That you were able to get our e-mail system and production servers back online in less than a week was beyond my wildest dreams. Each expert I interacted with or texted at Progent was laser focused on getting us back on-line and was working all day and night on our behalf."

Progent worked together with the client to quickly understand and prioritize the mission critical services that needed to be restored in order to continue business operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes incident response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the task of rebuilding Active Directory, the key technology of enterprise networks built upon Microsoft technology. Exchange email will not work without AD, and the customerís accounting and MRP software leveraged Microsoft SQL Server, which needs Active Directory services for authentication to the data.

Within two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then initiated reinstallations and hard drive recovery on mission critical applications. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Offline Data Files) on team PCs in order to recover email information. A not too old off-line backup of the client's financials/MRP systems made it possible to return these required applications back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, core systems were recovered quickly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."

During the next couple of weeks important milestones in the recovery process were accomplished through close cooperation between Progent team members and the client:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Server containing more than four million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100% recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the user desktops were back into operation.

"So much of what happened those first few days is mostly a fog for me, but my team will not soon forget the care each and every one of your team put in to give us our company back. I have been working together with Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A possible business catastrophe was avoided due to dedicated professionals, a broad spectrum of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware attack described here would have been identified and disabled with advanced cyber security solutions and best practices, staff education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were helping), thank you for making it so I could get rested after we got through the first week. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Long Beach a variety of online monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation AI capability to detect zero-day strains of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates next generation behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a single platform to automate the complete malware attack progression including blocking, identification, containment, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering via leading-edge tools packaged within one agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly cost, ProSight Data Protection Services automates your backup activities and allows fast restoration of critical data, applications and virtual machines that have become lost or damaged as a result of component failures, software bugs, natural disasters, human error, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery consultants can provide world-class expertise to set up ProSight DPS to to comply with government and industry regulatory standards such as HIPPA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security companies to deliver centralized management and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map out, track, optimize and debug their networking appliances such as routers, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always current, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that need important updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all looming issues can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-7 Long Beach CryptoLocker Recovery Support Services, contact Progent at 800-993-9400 or go to Contact Progent.