Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that represents an existential danger for businesses vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for years and still cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more as yet unnamed viruses, not only encrypt on-line files but also infiltrate most configured system backup. Files synchronized to cloud environments can also be rendered useless. In a vulnerable system, it can render automatic recovery hopeless and basically sets the network back to square one.

Restoring services and data after a ransomware attack becomes a race against time as the targeted organization tries its best to stop the spread and eradicate the virus and to restore enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are usually sprung during nights and weekends, when penetrations typically take longer to detect. This multiplies the difficulty of quickly assembling and coordinating an experienced mitigation team.

Progent makes available a variety of help services for protecting enterprises from crypto-ransomware attacks. Among these are team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security appliances with machine learning technology to quickly discover and disable new cyber threats. Progent also can provide the services of veteran ransomware recovery engineers with the talent and commitment to re-deploy a breached network as urgently as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to unencrypt all your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the mission-critical parts of your IT environment. Absent access to essential data backups, this requires a broad complement of IT skills, top notch project management, and the ability to work 24x7 until the recovery project is finished.

For two decades, Progent has offered professional Information Technology services for companies in Morgan Hill and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience gives Progent the skills to efficiently understand critical systems and re-organize the remaining pieces of your network system after a ransomware event and assemble them into a functioning system.

Progent's security group deploys top notch project management systems to orchestrate the complicated recovery process. Progent knows the importance of acting rapidly and in unison with a customerís management and IT staff to assign priority to tasks and to put essential applications back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Virus Recovery
A customer engaged Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored cybercriminals, suspected of using approaches exposed from Americaís National Security Agency. Ryuk attacks specific companies with little tolerance for operational disruption and is one of the most profitable instances of ransomware viruses. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the intrusion and were encrypted. The client considered paying the ransom (more than $200K) and hoping for good luck, but ultimately reached out to Progent.


"I cannot thank you enough about the expertise Progent provided us during the most critical period of (our) companyís existence. We would have paid the hackers behind this attack except for the confidence the Progent experts gave us. That you were able to get our messaging and key servers back faster than 1 week was beyond my wildest dreams. Each person I talked with or communicated with at Progent was urgently focused on getting us restored and was working 24/7 on our behalf."

Progent worked together with the client to quickly assess and assign priority to the mission critical applications that had to be addressed in order to continue business functions:

  • Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes incident response industry best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of recovering Microsoft AD, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not work without Windows AD, and the customerís MRP software leveraged Microsoft SQL Server, which depends on Active Directory for access to the database.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished setup and hard drive recovery of needed servers. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Folder Files) on various PCs and laptops to recover mail information. A not too old off-line backup of the client's accounting/MRP systems made it possible to return these essential applications back available to users. Although significant work remained to recover fully from the Ryuk event, the most important services were restored quickly:


"For the most part, the assembly line operation showed little impact and we did not miss any customer orders."

Throughout the following month important milestones in the recovery project were made through close collaboration between Progent team members and the customer:

  • In-house web sites were restored without losing any data.
  • The MailStore Exchange Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the desktop computers were fully operational.

"Much of what occurred during the initial response is mostly a fog for me, but I will not soon forget the commitment each of the team accomplished to help get our business back. Iíve utilized Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This time was a stunning achievement."

Conclusion
A potential business disaster was averted by results-oriented experts, a wide array of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here would have been identified and stopped with modern security solutions and best practices, team training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for making it so I could get some sleep after we got past the most critical parts. All of you did an amazing effort, and if any of your team is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Morgan Hill a portfolio of online monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate modern AI technology to uncover new variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized organizations an affordable end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates and monitors your backup processes and enables rapid recovery of critical data, apps and virtual machines that have become lost or corrupted as a result of component failures, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can deliver world-class expertise to configure ProSight DPS to be compliant with regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical information. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to deliver centralized control and comprehensive protection for all your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and manages the configuration of almost all devices on your network, tracks performance, and generates notices when issues are detected. By automating time-consuming network management activities, WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, finding appliances that need important software patches, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by checking the health of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that any looming issues can be resolved before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about ProSight IT Asset Management service.
For 24-7 Morgan Hill Ransomware Cleanup Consulting, reach out to Progent at 800-993-9400 or go to Contact Progent.