Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware such as CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and still cause damage. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as daily unnamed viruses, not only encrypt on-line files but also infiltrate many available system protection mechanisms. Files replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can make any recovery impossible and basically knocks the network back to zero.

Recovering services and data after a ransomware event becomes a sprint against the clock as the victim struggles to stop the spread and eradicate the ransomware and to resume mission-critical activity. Since crypto-ransomware needs time to spread, assaults are often sprung at night, when successful penetrations are likely to take longer to detect. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable response team.

Progent makes available a variety of help services for protecting enterprises from ransomware attacks. These include user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with AI technology to rapidly identify and extinguish new threats. Progent in addition offers the services of experienced ransomware recovery engineers with the skills and perseverance to re-deploy a breached system as soon as possible.

Progent's Ransomware Recovery Support Services
After a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to unencrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the key parts of your IT environment. Without the availability of essential system backups, this requires a broad range of skill sets, well-coordinated team management, and the ability to work continuously until the recovery project is finished.

For twenty years, Progent has offered expert Information Technology services for companies in Walnut Creek and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with accounting and ERP application software. This breadth of expertise provides Progent the capability to quickly determine critical systems and organize the remaining pieces of your computer network environment after a ransomware event and configure them into a functioning system.

Progent's recovery team of experts deploys state-of-the-art project management systems to orchestrate the complicated restoration process. Progent knows the urgency of working swiftly and in concert with a customerís management and IT resources to prioritize tasks and to put the most important applications back on line as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Attack Restoration
A business engaged Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, suspected of using techniques leaked from the U.S. NSA organization. Ryuk targets specific businesses with limited tolerance for disruption and is one of the most lucrative versions of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer located in Chicago and has around 500 workers. The Ryuk penetration had brought down all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately reached out to Progent.


"I canít thank you enough in regards to the support Progent gave us throughout the most fearful period of (our) businesses life. We would have paid the cyber criminals except for the confidence the Progent experts provided us. The fact that you could get our messaging and essential servers back on-line quicker than five days was earth shattering. Every single expert I interacted with or e-mailed at Progent was hell bent on getting us operational and was working breakneck pace on our behalf."

Progent worked with the client to rapidly identify and assign priority to the most important elements that had to be restored to make it possible to restart company functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then initiated the process of recovering Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not function without AD, and the client's accounting and MRP applications leveraged Microsoft SQL, which needs Windows AD for access to the databases.

In less than two days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then accomplished setup and hard drive recovery on key systems. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops to recover email data. A not too old off-line backup of the client's financials/MRP software made it possible to restore these required programs back servicing users. Although a lot of work needed to be completed to recover fully from the Ryuk damage, the most important services were restored rapidly:


"For the most part, the assembly line operation never missed a beat and we produced all customer sales."

Over the next month critical milestones in the restoration process were accomplished through close collaboration between Progent consultants and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Server with over 4 million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% functional.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the user PCs were operational.

"A huge amount of what was accomplished those first few days is mostly a haze for me, but we will not forget the commitment all of your team put in to help get our business back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business extinction catastrophe was evaded through the efforts of top-tier professionals, a broad range of subject matter expertise, and tight teamwork. Although in hindsight the crypto-ransomware virus penetration described here would have been identified and prevented with up-to-date cyber security systems and security best practices, team training, and well designed incident response procedures for information backup and proper patching controls, the fact is that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were involved), thank you for making it so I could get rested after we got over the initial fire. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Walnut Creek a range of online monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services utilize next-generation AI capability to uncover zero-day variants of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates next generation behavior machine learning technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to automate the complete threat progression including blocking, identification, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and medium-sized organizations an affordable end-to-end service for secure backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of critical data, apps and virtual machines that have become lost or corrupted as a result of hardware breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you protect, recover and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can provide world-class expertise to configure ProSight Data Protection Services to to comply with government and industry regulatory standards like HIPAA, FINRA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical information. Learn more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to provide web-based control and comprehensive security for your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of analysis for inbound email. For outgoing email, the local gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, enhance and debug their networking appliances such as routers, firewalls, and access points plus servers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are always updated, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can save up to half of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For Walnut Creek 24-7 Ransomware Repair Experts, contact Progent at 800-993-9400 or go to Contact Progent.