Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that poses an enterprise-level threat for businesses unprepared for an assault. Different versions of crypto-ransomware like the CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to cause harm. The latest versions of ransomware such as Ryuk and Hermes, as well as frequent unnamed malware, not only do encryption of online data but also infiltrate many configured system restores and backups. Files synchronized to the cloud can also be rendered useless. In a poorly architected system, this can make automatic recovery impossible and basically knocks the network back to square one.

Getting back programs and data after a ransomware outage becomes a race against the clock as the targeted organization fights to stop lateral movement and eradicate the ransomware and to resume enterprise-critical activity. Since ransomware needs time to replicate, penetrations are often launched at night, when successful penetrations are likely to take more time to notice. This multiplies the difficulty of quickly marshalling and coordinating a capable mitigation team.

Progent provides a range of solutions for securing enterprises from ransomware penetrations. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with artificial intelligence technology to intelligently discover and disable day-zero cyber attacks. Progent also offers the services of experienced crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised system as quickly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the codes to decipher any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the essential parts of your Information Technology environment. Absent the availability of essential system backups, this requires a broad range of skills, professional project management, and the ability to work non-stop until the job is done.

For two decades, Progent has offered professional IT services for businesses in Irvine and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise affords Progent the skills to rapidly identify critical systems and re-organize the remaining pieces of your network system after a crypto-ransomware penetration and configure them into an operational system.

Progent's ransomware group has powerful project management applications to orchestrate the complex recovery process. Progent appreciates the urgency of acting rapidly and in unison with a customerís management and IT resources to prioritize tasks and to get critical applications back on line as soon as possible.

Customer Story: A Successful Ransomware Incident Response
A customer escalated to Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state hackers, possibly using algorithms exposed from the United States NSA organization. Ryuk goes after specific companies with little room for disruption and is one of the most profitable versions of ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago and has about 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end made the decision to use Progent.


"I cannot thank you enough in regards to the expertise Progent gave us throughout the most fearful time of (our) companyís survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent team provided us. The fact that you could get our messaging and key applications back sooner than seven days was amazing. Each person I worked with or messaged at Progent was totally committed on getting us back online and was working non-stop to bail us out."

Progent worked together with the customer to rapidly identify and prioritize the key elements that had to be restored in order to continue business functions:

  • Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent followed ransomware event response best practices by halting lateral movement and disinfecting systems. Progent then started the steps of rebuilding Microsoft Active Directory, the foundation of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the client's accounting and MRP applications utilized Microsoft SQL, which requires Windows AD for access to the databases.

Within 2 days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then completed reinstallations and storage recovery on key applications. All Microsoft Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Email Off-Line Folder Files) on various desktop computers to recover email information. A not too old offline backup of the customerís financials/MRP systems made them able to recover these required applications back available to users. Although major work was left to recover fully from the Ryuk damage, essential systems were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer orders."

During the following couple of weeks critical milestones in the restoration project were completed in tight collaboration between Progent engineers and the customer:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user workstations were operational.

"Much of what occurred that first week is mostly a fog for me, but our team will not soon forget the commitment all of you accomplished to give us our company back. I have utilized Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A probable business-ending disaster was averted with results-oriented professionals, a wide array of technical expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware attack detailed here could have been prevented with current security technology and security best practices, user training, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we made it over the initial push. All of you did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Irvine a variety of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services incorporate modern AI capability to uncover new variants of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to automate the entire malware attack lifecycle including protection, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations an affordable and fully managed service for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight DPS automates and monitors your backup activities and enables rapid recovery of vital files, applications and virtual machines that have become lost or corrupted as a result of component failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or mirrored to both. Progent's cloud backup consultants can provide advanced support to set up ProSight DPS to be compliant with regulatory standards such as HIPPA, FIRPA, and PCI and, when needed, can help you to restore your critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to deliver web-based control and world-class protection for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of inspection for incoming email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding appliances that need critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether youíre making improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24-Hour Irvine Ransomware Repair Consultants, reach out to Progent at 800-993-9400 or go to Contact Progent.