Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyberplague that presents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and continue to cause destruction. Newer variants of crypto-ransomware such as Ryuk and Hermes, along with daily as yet unnamed viruses, not only do encryption of on-line critical data but also infiltrate most configured system protection. Information synched to the cloud can also be ransomed. In a vulnerable system, it can render automatic restoration useless and effectively knocks the entire system back to square one.

Restoring programs and data after a ransomware event becomes a sprint against the clock as the targeted organization fights to stop lateral movement and eradicate the ransomware and to resume enterprise-critical activity. Since ransomware takes time to replicate, assaults are usually launched at night, when successful attacks are likely to take longer to recognize. This compounds the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent makes available an assortment of support services for securing enterprises from ransomware penetrations. These include user training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with machine learning technology to intelligently detect and quarantine zero-day cyber attacks. Progent also provides the assistance of expert crypto-ransomware recovery consultants with the talent and perseverance to re-deploy a breached network as urgently as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decipher any of your files. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to re-install the mission-critical components of your IT environment. Without access to essential system backups, this calls for a broad complement of skills, top notch team management, and the willingness to work continuously until the recovery project is over.

For twenty years, Progent has provided expert Information Technology services for businesses in Carlsbad and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the skills to quickly identify critical systems and integrate the remaining components of your IT environment following a crypto-ransomware attack and assemble them into a functioning network.

Progent's ransomware team has best of breed project management applications to coordinate the complex restoration process. Progent understands the importance of acting rapidly and in unison with a client's management and IT resources to assign priority to tasks and to get essential applications back online as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A business contacted Progent after their company was brought down by Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk targets specific organizations with limited tolerance for operational disruption and is among the most profitable incarnations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago and has about 500 workers. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were destroyed. The client was taking steps for paying the ransom (more than $200,000) and hoping for good luck, but in the end reached out to Progent.


"I canít speak enough in regards to the care Progent gave us throughout the most critical period of (our) businesses life. We most likely would have paid the cyber criminals if it wasnít for the confidence the Progent experts provided us. That you could get our e-mail and critical servers back online in less than 1 week was beyond my wildest dreams. Every single staff member I talked with or e-mailed at Progent was amazingly focused on getting our company operational and was working all day and night to bail us out."

Progent worked together with the customer to rapidly get our arms around and prioritize the most important services that had to be recovered to make it possible to resume company operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent followed AV/Malware Processes penetration mitigation industry best practices by isolating and disinfecting systems. Progent then started the process of rebuilding Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businessesí accounting and MRP system utilized Microsoft SQL, which depends on Active Directory for security authorization to the databases.

Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with setup and storage recovery of needed servers. All Exchange Server schema and configuration information were intact, which accelerated the restore of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Off-Line Folder Files) on staff PCs and laptops to recover email messages. A recent off-line backup of the customerís accounting/MRP systems made it possible to return these required applications back servicing users. Although a large amount of work was left to recover totally from the Ryuk attack, essential services were restored quickly:


"For the most part, the production line operation did not miss a beat and we made all customer sales."

Over the following couple of weeks key milestones in the recovery project were achieved through tight cooperation between Progent team members and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory functions were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the user desktops and notebooks were fully operational.

"Much of what occurred in the early hours is nearly entirely a fog for me, but my management will not forget the dedication each and every one of you accomplished to give us our business back. Iíve trusted Progent for at least 10 years, maybe more, and every time Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A potential business-killing catastrophe was avoided with hard-working experts, a broad array of technical expertise, and close collaboration. Although in post mortem the ransomware attack described here should have been stopped with current security technology solutions and best practices, user and IT administrator training, and well thought out security procedures for information backup and proper patching controls, the fact remains that state-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware incident, remember that Progent's team of professionals has a proven track record in ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for making it so I could get rested after we made it past the first week. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Carlsbad a portfolio of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include modern artificial intelligence capability to uncover new variants of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the complete threat progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end solution for secure backup/disaster recovery (BDR). Available at a fixed monthly cost, ProSight DPS automates and monitors your backup processes and enables fast restoration of vital data, applications and VMs that have become lost or corrupted as a result of component failures, software bugs, natural disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or mirrored to both. Progent's cloud backup specialists can deliver world-class support to set up ProSight Data Protection Services to to comply with government and industry regulatory standards such as HIPPA, FIRPA, and PCI and, when needed, can assist you to restore your critical information. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide web-based control and comprehensive security for all your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite security gateway device provides a further level of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept updated, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating devices that need critical updates, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by tracking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your specified IT management staff and your assigned Progent consultant so that all looming problems can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to a different hardware solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save up to half of time spent trying to find critical information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Learn more about ProSight IT Asset Management service.
For Carlsbad 24/7 Ransomware Removal Experts, call Progent at 800-993-9400 or go to Contact Progent.