Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an extinction-level danger for businesses vulnerable to an attack. Different versions of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. The latest variants of ransomware such as Ryuk and Hermes, plus more as yet unnamed newcomers, not only encrypt online data files but also infiltrate many configured system protection mechanisms. Data synched to the cloud can also be corrupted. In a poorly architected system, this can render automated recovery useless and effectively knocks the entire system back to zero.

Getting back online programs and data following a ransomware intrusion becomes a sprint against time as the targeted business tries its best to contain and clear the ransomware and to resume business-critical activity. Because crypto-ransomware takes time to replicate, attacks are usually launched during weekends and nights, when attacks are likely to take longer to identify. This multiplies the difficulty of quickly mobilizing and coordinating a capable mitigation team.

Progent makes available an assortment of support services for securing enterprises from ransomware events. These include team education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with machine learning capabilities to automatically identify and suppress day-zero threats. Progent also can provide the services of seasoned ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
After a crypto-ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to unencrypt any of your files. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the key components of your Information Technology environment. Absent the availability of full data backups, this requires a broad range of skill sets, professional team management, and the willingness to work continuously until the job is completed.

For twenty years, Progent has provided certified expert Information Technology services for companies in Morgan Hill and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of expertise affords Progent the ability to efficiently understand important systems and re-organize the remaining components of your computer network system after a ransomware event and rebuild them into an operational network.

Progent's security team has top notch project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to put the most important services back on-line as soon as humanly possible.

Customer Story: A Successful Ransomware Attack Recovery
A business engaged Progent after their company was taken over by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored criminal gangs, suspected of adopting strategies exposed from the United States National Security Agency. Ryuk seeks specific organizations with little or no ability to sustain operational disruption and is one of the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in Chicago with about 500 workers. The Ryuk attack had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the start of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for the best, but in the end reached out to Progent.


"I canít say enough in regards to the care Progent gave us throughout the most fearful period of (our) companyís life. We may have had to pay the cybercriminals if it wasnít for the confidence the Progent group provided us. That you could get our e-mail system and important applications back faster than five days was amazing. Each expert I spoke to or texted at Progent was urgently focused on getting us back online and was working 24/7 on our behalf."

Progent worked hand in hand the customer to rapidly determine and assign priority to the key areas that had to be recovered to make it possible to restart company operations:

  • Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware incident mitigation best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of restoring Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not operate without AD, and the businessesí MRP software utilized Microsoft SQL Server, which depends on Active Directory for security authorization to the information.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then initiated setup and storage recovery on essential applications. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to locate intact OST files (Microsoft Outlook Off-Line Data Files) on various PCs to recover email messages. A not too old offline backup of the businesses manufacturing systems made them able to return these required programs back online for users. Although a large amount of work was left to recover fully from the Ryuk damage, core systems were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer shipments."

During the following month important milestones in the restoration project were completed in close collaboration between Progent consultants and the client:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully restored.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user PCs were fully operational.

"So much of what transpired in the initial days is nearly entirely a blur for me, but our team will not forget the countless hours each of the team accomplished to help get our business back. I have been working together with Progent for at least 10 years, possibly more, and every time Progent has come through and delivered. This time was a testament to your capabilities."

Conclusion
A probable business extinction disaster was avoided through the efforts of top-tier professionals, a wide spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus attack described here should have been identified and stopped with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's roster of experts has a proven track record in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), Iím grateful for letting me get rested after we made it past the initial push. Everyone did an impressive job, and if anyone that helped is in the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Morgan Hill a range of online monitoring and security evaluation services to help you to reduce the threat from ransomware. These services utilize next-generation machine learning capability to uncover zero-day strains of ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including protection, detection, mitigation, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you prove compliance with government and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate action. Progent can also assist your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and enables rapid restoration of vital data, apps and virtual machines that have become unavailable or corrupted as a result of hardware failures, software glitches, natural disasters, human error, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware images/. Important data can be protected on the cloud, to a local device, or to both. Progent's cloud backup consultants can deliver advanced expertise to set up ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, PCI and Safe Harbor and, when needed, can assist you to restore your critical data. Find out more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to deliver web-based management and comprehensive protection for your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further level of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, monitor, optimize and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding appliances that need important updates, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system running efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so all potential issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can save as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youíre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For 24x7 Morgan Hill CryptoLocker Removal Help, reach out to Progent at 800-993-9400 or go to Contact Progent.