Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that represents an extinction-level danger for businesses vulnerable to an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict harm. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, plus additional unnamed viruses, not only encrypt on-line critical data but also infiltrate all available system protection mechanisms. Information synched to the cloud can also be corrupted. In a poorly designed environment, it can make any recovery impossible and basically sets the network back to square one.

Getting back online services and data following a ransomware intrusion becomes a sprint against time as the targeted organization tries its best to contain the damage and eradicate the virus and to restore enterprise-critical operations. Due to the fact that ransomware requires time to replicate, assaults are usually launched during weekends and nights, when successful penetrations tend to take more time to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable mitigation team.

Progent offers a range of solutions for protecting businesses from ransomware penetrations. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security gateways with AI technology to rapidly identify and disable new cyber attacks. Progent in addition provides the assistance of experienced ransomware recovery consultants with the track record and perseverance to rebuild a breached environment as rapidly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed codes to unencrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the essential components of your IT environment. Absent the availability of complete system backups, this requires a broad range of IT skills, top notch project management, and the capability to work non-stop until the job is done.

For twenty years, Progent has provided professional IT services for companies in Napa and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the ability to rapidly understand important systems and organize the surviving pieces of your IT environment following a ransomware attack and configure them into an operational network.

Progent's security team uses best of breed project management applications to orchestrate the complicated restoration process. Progent knows the importance of working swiftly and together with a client's management and Information Technology resources to assign priority to tasks and to get critical services back on-line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A small business engaged Progent after their company was crashed by Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean government sponsored hackers, suspected of adopting technology leaked from Americaís National Security Agency. Ryuk targets specific companies with limited ability to sustain disruption and is one of the most lucrative versions of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago with around 500 employees. The Ryuk penetration had brought down all essential operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I canít speak enough about the care Progent gave us during the most stressful period of (our) companyís survival. We would have paid the criminal gangs if not for the confidence the Progent group gave us. That you were able to get our e-mail system and key servers back on-line in less than one week was amazing. Each expert I talked with or e-mailed at Progent was amazingly focused on getting us operational and was working breakneck pace to bail us out."

Progent worked with the customer to rapidly identify and prioritize the mission critical applications that had to be recovered in order to resume departmental functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent followed Anti-virus event response best practices by halting the spread and performing virus removal steps. Progent then started the steps of bringing back online Windows Active Directory, the core of enterprise environments built on Microsoft technology. Exchange email will not function without Windows AD, and the client's MRP system leveraged SQL Server, which depends on Active Directory services for authentication to the databases.

Within 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then performed rebuilding and storage recovery on mission critical servers. All Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to find intact OST files (Microsoft Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover email information. A not too old offline backup of the customerís financials/ERP systems made them able to restore these required services back on-line. Although a lot of work needed to be completed to recover totally from the Ryuk virus, critical services were restored rapidly:


"For the most part, the assembly line operation did not miss a beat and we produced all customer orders."

Over the following few weeks important milestones in the recovery project were achieved through close collaboration between Progent team members and the customer:

  • Internal web sites were restored with no loss of information.
  • The MailStore Exchange Server with over four million archived emails was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely operational.
  • A new Palo Alto Networks 850 firewall was installed.
  • Most of the user PCs were functioning as before the incident.

"So much of what occurred in the early hours is nearly entirely a fog for me, but we will not soon forget the care each of you put in to give us our company back. Iíve been working with Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was a stunning achievement."

Conclusion
A likely business extinction catastrophe was averted with hard-working professionals, a wide range of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware attack described here should have been identified and disabled with up-to-date security solutions and NIST Cybersecurity Framework best practices, team training, and well thought out incident response procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), thank you for making it so I could get some sleep after we got over the initial push. Everyone did an incredible effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Napa a variety of remote monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services utilize next-generation machine learning capability to detect new variants of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including blocking, detection, containment, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with government and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent can also help you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations a low cost and fully managed solution for secure backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of vital files, applications and VMs that have become unavailable or damaged due to hardware failures, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to a local storage device, or to both. Progent's backup and recovery specialists can provide advanced expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can assist you to recover your critical data. Find out more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to provide centralized control and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map, track, enhance and debug their connectivity appliances such as routers, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, locating appliances that need important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT staff and your Progent consultant so that any potential problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hosting environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can eliminate up to 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youíre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For Napa 24/7/365 Crypto Cleanup Consultants, contact Progent at 800-993-9400 or go to Contact Progent.