Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict damage. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Lockbit or Egregor, along with additional as yet unnamed newcomers, not only encrypt on-line information but also infect any accessible system backup. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can render automatic restore operations useless and effectively knocks the network back to square one.

Getting back on-line programs and information after a ransomware attack becomes a sprint against the clock as the targeted business fights to contain the damage and eradicate the ransomware and to resume business-critical operations. Because ransomware requires time to move laterally, attacks are frequently sprung during weekends and nights, when attacks may take longer to identify. This multiplies the difficulty of promptly assembling and organizing a capable mitigation team.

Progent offers a variety of support services for protecting organizations from ransomware events. These include team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security solutions with machine learning technology to intelligently detect and suppress new cyber attacks. Progent in addition provides the assistance of seasoned crypto-ransomware recovery consultants with the talent and commitment to re-deploy a compromised network as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed codes to decrypt any or all of your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the essential components of your Information Technology environment. Absent access to essential system backups, this requires a broad range of IT skills, professional team management, and the capability to work non-stop until the job is complete.

For two decades, Progent has provided professional Information Technology services for businesses in Valencia and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience provides Progent the skills to knowledgably understand critical systems and integrate the remaining components of your computer network system after a ransomware attack and configure them into a functioning network.

Progent's security team of experts deploys state-of-the-art project management tools to coordinate the sophisticated restoration process. Progent knows the importance of working rapidly and in concert with a customerís management and IT staff to assign priority to tasks and to get key services back on-line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Attack Response
A small business escalated to Progent after their organization was crashed by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean government sponsored hackers, possibly adopting algorithms exposed from Americaís NSA organization. Ryuk attacks specific organizations with little tolerance for disruption and is one of the most profitable instances of ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area and has about 500 employees. The Ryuk penetration had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the intrusion and were damaged. The client considered paying the ransom (more than $200K) and hoping for the best, but in the end made the decision to use Progent.


"I canít say enough in regards to the care Progent gave us during the most critical time of (our) companyís survival. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and essential applications back into operation sooner than seven days was something I thought impossible. Each consultant I worked with or texted at Progent was laser focused on getting us working again and was working 24 by 7 on our behalf."

Progent worked hand in hand the client to rapidly assess and prioritize the essential services that needed to be restored to make it possible to continue departmental operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting/MRP
To get going, Progent followed Anti-virus event mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then initiated the process of recovering Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the client's MRP software used SQL Server, which requires Windows AD for authentication to the information.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery of needed servers. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST data files (Outlook Offline Data Files) on staff desktop computers to recover mail data. A not too old offline backup of the customerís accounting/ERP systems made them able to restore these required programs back available to users. Although major work still had to be done to recover totally from the Ryuk event, critical services were returned to operations rapidly:


"For the most part, the assembly line operation showed little impact and we produced all customer shipments."

Over the next month important milestones in the recovery process were accomplished in close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the desktops and laptops were being used by staff.

"So much of what went on in the early hours is mostly a blur for me, but we will not forget the care each and every one of your team accomplished to help get our company back. Iíve utilized Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This event was a testament to your capabilities."

Conclusion
A probable business-ending catastrophe was evaded by results-oriented experts, a wide array of IT skills, and tight collaboration. Although in hindsight the ransomware attack described here could have been disabled with up-to-date security systems and security best practices, user and IT administrator training, and well thought out incident response procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's team of professionals has a proven track record in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get rested after we got over the initial fire. Everyone did an amazing effort, and if anyone is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Valencia a variety of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services utilize modern AI capability to detect zero-day strains of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to manage the complete threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent accessible from a single control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses an affordable and fully managed service for reliable backup/disaster recovery (BDR). Available at a fixed monthly price, ProSight Data Protection Services automates and monitors your backup activities and allows rapid recovery of vital files, apps and VMs that have become unavailable or corrupted as a result of component failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup consultants can deliver world-class expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory standards such as HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to provide centralized control and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of inspection for inbound email. For outbound email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, enhance and debug their networking hardware like switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating complex management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, locating appliances that require important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to keep your network running at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT personnel and your assigned Progent consultant so any looming problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your IT documentation, you can eliminate up to 50% of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.
For 24x7x365 Valencia CryptoLocker Repair Services, reach out to Progent at 800-993-9400 or go to Contact Progent.