Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyber pandemic that represents an existential danger for businesses vulnerable to an attack. Versions of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict havoc. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, as well as additional as yet unnamed malware, not only encrypt online data but also infiltrate many available system protection mechanisms. Data synched to cloud environments can also be rendered useless. In a poorly architected system, this can make automated recovery impossible and effectively sets the network back to square one.

Getting back on-line applications and information after a ransomware event becomes a race against the clock as the targeted business fights to stop the spread and remove the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware takes time to spread, assaults are usually launched on weekends and holidays, when successful penetrations are likely to take longer to uncover. This compounds the difficulty of quickly mobilizing and orchestrating an experienced response team.

Progent provides a variety of services for securing enterprises from ransomware events. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with machine learning technology to rapidly identify and extinguish zero-day cyber attacks. Progent also offers the assistance of expert ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as rapidly as possible.

Progent's Ransomware Restoration Help
Following a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the codes to decrypt any of your information. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to piece back together the essential components of your IT environment. Without access to essential data backups, this calls for a wide range of skills, professional project management, and the capability to work non-stop until the task is over.

For two decades, Progent has made available expert IT services for companies in Monterey and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the ability to efficiently identify necessary systems and integrate the surviving components of your network environment following a ransomware penetration and rebuild them into an operational network.

Progent's security team deploys best of breed project management applications to orchestrate the sophisticated restoration process. Progent knows the urgency of acting swiftly and in concert with a customerís management and IT team members to prioritize tasks and to put the most important services back on line as soon as possible.

Client Case Study: A Successful Ransomware Incident Recovery
A client contacted Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been launched by North Korean state hackers, suspected of adopting technology leaked from the U.S. National Security Agency. Ryuk goes after specific companies with limited tolerance for disruption and is among the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in the Chicago metro area with around 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I canít thank you enough in regards to the help Progent gave us during the most fearful period of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group provided us. The fact that you were able to get our messaging and important applications back online quicker than five days was amazing. Every single consultant I interacted with or e-mailed at Progent was absolutely committed on getting us operational and was working breakneck pace to bail us out."

Progent worked with the client to rapidly determine and prioritize the critical services that had to be addressed in order to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange
  • MRP System
To get going, Progent adhered to Anti-virus incident mitigation industry best practices by isolating and disinfecting systems. Progent then started the work of restoring Microsoft Active Directory, the core of enterprise systems built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the client's MRP applications utilized Microsoft SQL Server, which depends on Active Directory for access to the data.

In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery of mission critical applications. All Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Email Offline Data Files) on various workstations to recover email data. A recent off-line backup of the businesses manufacturing software made it possible to return these required services back available to users. Although significant work needed to be completed to recover completely from the Ryuk damage, essential services were recovered quickly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer orders."

Over the following few weeks key milestones in the restoration process were completed in tight collaboration between Progent engineers and the client:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Server containing more than 4 million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory functions were 100 percent restored.
  • A new Palo Alto 850 firewall was deployed.
  • Nearly all of the user desktops and notebooks were operational.

"So much of what occurred in the initial days is mostly a haze for me, but my team will not forget the dedication all of you accomplished to help get our business back. Iíve been working with Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was a life saver."

Conclusion
A possible business-ending catastrophe was avoided due to dedicated professionals, a wide array of technical expertise, and close collaboration. Although in retrospect the crypto-ransomware virus attack detailed here should have been stopped with advanced security technology and recognized best practices, user and IT administrator training, and well designed security procedures for information backup and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were involved), thanks very much for letting me get rested after we made it past the initial push. All of you did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Monterey a portfolio of remote monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services incorporate modern AI capability to uncover zero-day strains of ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to manage the complete threat progression including blocking, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your company's unique requirements and that allows you prove compliance with government and industry information protection standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end service for secure backup/disaster recovery (BDR). Available at a fixed monthly rate, ProSight Data Protection Services automates and monitors your backup processes and allows fast recovery of critical data, applications and VMs that have become unavailable or corrupted due to component breakdowns, software bugs, natural disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, as well as Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's backup and recovery specialists can deliver advanced expertise to set up ProSight DPS to be compliant with regulatory standards like HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can help you to recover your business-critical information. Learn more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide web-based management and world-class protection for all your inbound and outbound email. The powerful structure of Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, track, optimize and debug their networking hardware such as switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating appliances that need critical updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your Progent engineering consultant so any potential issues can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard information related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can save as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For Monterey 24x7x365 Crypto Cleanup Services, contact Progent at 800-993-9400 or go to Contact Progent.