Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that presents an existential danger for businesses of all sizes poorly prepared for an attack. Different versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause harm. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent unnamed newcomers, not only encrypt online critical data but also infiltrate all configured system backup. Information synched to off-site disaster recovery sites can also be rendered useless. In a poorly designed data protection solution, this can make automated restore operations impossible and basically sets the network back to square one.

Recovering programs and data following a ransomware intrusion becomes a race against time as the targeted business struggles to stop the spread and cleanup the ransomware and to resume business-critical operations. Since ransomware requires time to move laterally, attacks are frequently sprung during weekends and nights, when penetrations in many cases take more time to discover. This compounds the difficulty of quickly marshalling and orchestrating a qualified mitigation team.

Progent has a range of solutions for protecting enterprises from ransomware attacks. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with AI capabilities to automatically detect and suppress new cyber attacks. Progent also can provide the services of veteran ransomware recovery professionals with the skills and perseverance to restore a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a crypto-ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will return the needed keys to unencrypt any of your data. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the mission-critical parts of your IT environment. Without access to essential data backups, this calls for a wide complement of skills, well-coordinated team management, and the willingness to work 24x7 until the task is complete.

For decades, Progent has offered expert Information Technology services for companies in Walnut Creek and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the capability to quickly understand necessary systems and consolidate the surviving components of your Information Technology system following a crypto-ransomware event and rebuild them into an operational network.

Progent's security team utilizes powerful project management applications to orchestrate the sophisticated restoration process. Progent knows the urgency of acting rapidly and in concert with a client's management and IT team members to prioritize tasks and to put key systems back on line as soon as possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored cybercriminals, suspected of using technology exposed from the United States National Security Agency. Ryuk attacks specific organizations with little or no tolerance for operational disruption and is among the most profitable iterations of ransomware viruses. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk event had brought down all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the attack and were destroyed. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but in the end brought in Progent.


"I canít say enough in regards to the support Progent gave us during the most critical time of (our) companyís life. We would have paid the cyber criminals if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and key applications back on-line quicker than one week was beyond my wildest dreams. Each staff member I spoke to or communicated with at Progent was urgently focused on getting us back online and was working breakneck pace on our behalf."

Progent worked with the customer to rapidly understand and assign priority to the essential areas that had to be restored in order to continue company operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event mitigation best practices by halting lateral movement and cleaning systems of viruses. Progent then started the steps of rebuilding Microsoft Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the client's financials and MRP software used Microsoft SQL, which requires Active Directory for authentication to the databases.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed setup and hard drive recovery of the most important systems. All Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on various desktop computers and laptops in order to recover email messages. A not too old offline backup of the customerís accounting/ERP systems made it possible to recover these required programs back on-line. Although significant work still had to be done to recover fully from the Ryuk attack, critical services were restored rapidly:


"For the most part, the production operation was never shut down and we made all customer orders."

During the following few weeks key milestones in the recovery process were made in tight cooperation between Progent engineers and the customer:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Server exceeding 4 million historical messages was spun up and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto 850 firewall was installed.
  • Most of the user desktops and notebooks were being used by staff.

"Much of what went on that first week is nearly entirely a fog for me, but my management will not forget the dedication all of the team put in to give us our business back. Iíve trusted Progent for at least 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A potential business-ending catastrophe was evaded by dedicated experts, a wide range of IT skills, and tight teamwork. Although in retrospect the ransomware penetration detailed here should have been blocked with current security solutions and recognized best practices, staff education, and well designed security procedures for backup and proper patching controls, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of professionals has substantial experience in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for making it so I could get rested after we got past the initial push. Everyone did an fabulous effort, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Walnut Creek a portfolio of remote monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services incorporate modern machine learning technology to detect zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily get by legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including blocking, detection, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a single console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that meets your organization's specific needs and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent provide small and medium-sized businesses a low cost end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates your backup processes and enables rapid restoration of critical files, apps and virtual machines that have become lost or corrupted due to hardware failures, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight DPS can help you protect, recover and restore files, folders, apps, system images, plus Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can deliver advanced support to configure ProSight Data Protection Services to to comply with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever needed, can help you to recover your critical information. Read more about ProSight DPS Managed Cloud Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to provide web-based control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of inspection for incoming email. For outbound email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to diagram, track, optimize and troubleshoot their connectivity appliances such as routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating time-consuming management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, locating appliances that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so that all potential problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect information about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save up to half of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youíre making improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.
For Walnut Creek 24/7/365 Crypto-Ransomware Repair Consulting, call Progent at 800-993-9400 or go to Contact Progent.