Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become an escalating cyberplague that represents an extinction-level danger for organizations vulnerable to an attack. Multiple generations of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict destruction. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as additional unnamed newcomers, not only do encryption of online files but also infiltrate any available system restores and backups. Data synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can make automatic recovery hopeless and basically sets the entire system back to square one.

Getting back online services and information following a crypto-ransomware outage becomes a race against time as the targeted organization tries its best to stop the spread and eradicate the crypto-ransomware and to restore mission-critical activity. Because ransomware needs time to spread, assaults are usually launched on weekends, when penetrations may take more time to detect. This compounds the difficulty of rapidly assembling and coordinating a qualified response team.

Progent offers an assortment of support services for securing organizations from ransomware events. These include user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security appliances with artificial intelligence capabilities to quickly detect and quarantine new cyber attacks. Progent also offers the services of expert ransomware recovery engineers with the skills and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Help
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the codes to decrypt any of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the essential components of your IT environment. Absent access to essential system backups, this requires a wide range of skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is complete.

For decades, Progent has offered expert Information Technology services for businesses in Long Beach and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience affords Progent the ability to quickly identify critical systems and consolidate the remaining components of your Information Technology environment following a ransomware penetration and configure them into a functioning system.

Progent's recovery team of experts deploys powerful project management systems to orchestrate the complicated recovery process. Progent appreciates the urgency of working swiftly and together with a client's management and IT resources to prioritize tasks and to get key applications back online as fast as possible.

Customer Story: A Successful Crypto-Ransomware Virus Recovery
A customer hired Progent after their network system was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state criminal gangs, suspected of adopting technology exposed from Americaís NSA organization. Ryuk attacks specific organizations with little tolerance for operational disruption and is among the most profitable versions of ransomware viruses. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area and has about 500 employees. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the time of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end utilized Progent.


"I canít speak enough about the expertise Progent provided us during the most fearful time of (our) businesses existence. We most likely would have paid the hackers behind this attack if it wasnít for the confidence the Progent team afforded us. The fact that you were able to get our messaging and production servers back online in less than five days was incredible. Each person I interacted with or messaged at Progent was absolutely committed on getting our system up and was working non-stop to bail us out."

Progent worked hand in hand the client to rapidly determine and prioritize the most important services that needed to be addressed in order to resume departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent adhered to ransomware incident mitigation best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the steps of bringing back online Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the customerís MRP applications leveraged SQL Server, which needs Active Directory services for security authorization to the database.

Within two days, Progent was able to restore Active Directory to its pre-virus state. Progent then accomplished reinstallations and storage recovery on mission critical systems. All Exchange Server ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Folder Files) on team workstations and laptops to recover email messages. A not too old offline backup of the businesses financials/ERP software made them able to restore these essential applications back available to users. Although a lot of work still had to be done to recover fully from the Ryuk event, critical systems were recovered rapidly:


"For the most part, the production line operation never missed a beat and we made all customer shipments."

During the next couple of weeks key milestones in the restoration process were made in close collaboration between Progent engineers and the customer:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control modules were completely recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"So much of what happened in the initial days is nearly entirely a blur for me, but my team will not soon forget the care all of you accomplished to help get our company back. I have been working together with Progent for the past 10 years, maybe more, and every time Progent has shined and delivered. This situation was a life saver."

Conclusion
A potential business extinction disaster was evaded by dedicated experts, a broad spectrum of knowledge, and close teamwork. Although upon completion of forensics the crypto-ransomware incident described here could have been disabled with advanced cyber security technology and best practices, team education, and well designed security procedures for backup and applying software patches, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for letting me get rested after we got through the first week. Everyone did an incredible effort, and if anyone that helped is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Long Beach a portfolio of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the entire malware attack progression including filtering, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent managed from a single control. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with legal and industry data security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). For a fixed monthly price, ProSight DPS automates your backup processes and allows fast restoration of vital files, applications and virtual machines that have become lost or corrupted due to hardware breakdowns, software glitches, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can provide world-class support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements such as HIPAA, FINRA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security companies to provide centralized control and comprehensive protection for all your email traffic. The powerful structure of Email Guard combines cloud-based filtering with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to external threats and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the onsite gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, monitor, optimize and debug their connectivity appliances like switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates notices when issues are detected. By automating complex management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your IT system running at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT personnel and your Progent consultant so that all potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting environment without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can save as much as 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youíre making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about ProSight IT Asset Management service.
For Long Beach 24x7x365 Crypto-Ransomware Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.