Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that represents an extinction-level danger for organizations unprepared for an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for years and continue to inflict damage. More recent strains of ransomware such as Ryuk and Hermes, as well as daily as yet unnamed malware, not only do encryption of online data but also infiltrate most configured system backup. Information synchronized to the cloud can also be encrypted. In a vulnerable data protection solution, this can make automated recovery hopeless and effectively knocks the network back to zero.

Retrieving applications and data following a ransomware intrusion becomes a race against time as the targeted business tries its best to stop the spread and clear the ransomware and to resume business-critical operations. Due to the fact that ransomware requires time to move laterally, assaults are frequently sprung at night, when successful penetrations are likely to take more time to notice. This multiplies the difficulty of quickly marshalling and coordinating an experienced mitigation team.

Progent has an assortment of services for protecting businesses from ransomware penetrations. Among these are team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security solutions with machine learning capabilities to intelligently detect and disable zero-day threats. Progent in addition offers the services of seasoned ransomware recovery consultants with the skills and perseverance to re-deploy a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber hackers will return the keys to decrypt all your information. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the vital elements of your IT environment. Absent the availability of complete system backups, this calls for a wide complement of IT skills, top notch team management, and the willingness to work continuously until the job is done.

For two decades, Progent has provided expert Information Technology services for companies in Palo Alto and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience affords Progent the capability to efficiently identify important systems and consolidate the surviving components of your computer network system after a crypto-ransomware event and configure them into an operational system.

Progent's ransomware team of experts has state-of-the-art project management systems to coordinate the complicated recovery process. Progent knows the importance of working swiftly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to put the most important systems back on line as fast as possible.

Customer Story: A Successful Ransomware Virus Response
A small business hired Progent after their network system was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, suspected of adopting strategies exposed from Americaís NSA organization. Ryuk seeks specific organizations with little ability to sustain operational disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I canít thank you enough about the expertise Progent gave us throughout the most fearful time of (our) businesses survival. We would have paid the cyber criminals behind the attack if it wasnít for the confidence the Progent experts gave us. That you were able to get our e-mail and production servers back into operation quicker than one week was something I thought impossible. Each expert I got help from or communicated with at Progent was amazingly focused on getting us working again and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly assess and prioritize the mission critical elements that needed to be restored to make it possible to restart business operations:

  • Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To begin, Progent followed AV/Malware Processes incident mitigation best practices by halting the spread and clearing infected systems. Progent then initiated the task of bringing back online Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the customerís MRP system used Microsoft SQL Server, which requires Active Directory services for authentication to the data.

In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then accomplished rebuilding and storage recovery of needed systems. All Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Email Offline Data Files) on various desktop computers and laptops in order to recover email messages. A not too old offline backup of the client's manufacturing systems made them able to recover these required programs back available to users. Although a lot of work still had to be done to recover fully from the Ryuk damage, critical systems were restored quickly:


"For the most part, the production line operation was never shut down and we delivered all customer deliverables."

Throughout the following few weeks important milestones in the restoration process were made through close collaboration between Progent consultants and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Server with over four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were completely recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the desktop computers were being used by staff.

"A huge amount of what was accomplished in the early hours is nearly entirely a blur for me, but we will not soon forget the dedication all of you put in to give us our business back. Iíve entrusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A probable business-ending catastrophe was averted by hard-working professionals, a wide spectrum of technical expertise, and tight teamwork. Although upon completion of forensics the ransomware virus attack described here could have been blocked with up-to-date security systems and best practices, user training, and well designed security procedures for information backup and applying software patches, the fact is that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus blocking, removal, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get rested after we got over the initial fire. All of you did an amazing effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Palo Alto a variety of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize next-generation AI capability to detect new strains of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily escape legacy signature-based AV tools. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with government and industry information protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized businesses an affordable end-to-end solution for secure backup/disaster recovery (BDR). For a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of vital data, apps and VMs that have become lost or corrupted due to component failures, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's cloud backup specialists can deliver world-class expertise to configure ProSight DPS to to comply with government and industry regulatory requirements such as HIPPA, FINRA, and PCI and, when necessary, can assist you to recover your critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to deliver centralized management and world-class protection for all your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with a local security gateway device to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This decreases your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, optimize and debug their networking hardware such as routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating devices that require important software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management technology to keep your IT system operating at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management personnel and your Progent consultant so any looming problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.
For Palo Alto 24/7/365 Ransomware Cleanup Services, contact Progent at 800-993-9400 or go to Contact Progent.