Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that represents an extinction-level danger for organizations poorly prepared for an assault. Different versions of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still inflict havoc. Modern variants of ransomware such as Ryuk and Hermes, plus additional as yet unnamed viruses, not only encrypt on-line data but also infiltrate any accessible system restores and backups. Files replicated to the cloud can also be ransomed. In a poorly designed environment, it can make any restore operations hopeless and basically sets the entire system back to zero.

Getting back applications and information following a ransomware outage becomes a sprint against time as the targeted business tries its best to contain and cleanup the ransomware and to restore business-critical operations. Due to the fact that ransomware takes time to replicate, attacks are frequently launched during nights and weekends, when penetrations may take longer to uncover. This compounds the difficulty of quickly marshalling and organizing an experienced mitigation team.

Progent provides a range of services for protecting businesses from ransomware events. These include user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with AI capabilities to rapidly detect and quarantine zero-day cyber threats. Progent in addition offers the services of veteran ransomware recovery engineers with the track record and commitment to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the needed codes to unencrypt any or all of your information. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the key parts of your Information Technology environment. Without the availability of essential data backups, this calls for a broad range of skills, professional team management, and the ability to work non-stop until the task is done.

For twenty years, Progent has offered expert Information Technology services for businesses in Sacramento and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to rapidly understand critical systems and organize the surviving pieces of your network system after a ransomware penetration and rebuild them into an operational network.

Progent's security team uses top notch project management systems to orchestrate the complex recovery process. Progent understands the importance of acting quickly and in unison with a customerís management and Information Technology team members to prioritize tasks and to get key applications back online as fast as humanly possible.

Case Study: A Successful Ransomware Virus Recovery
A client sought out Progent after their network was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, suspected of using technology exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little or no room for disruption and is one of the most profitable incarnations of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with around 500 workers. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but ultimately brought in Progent.


"I cannot tell you enough in regards to the help Progent gave us during the most fearful period of (our) businesses existence. We may have had to pay the cyber criminals if it wasnít for the confidence the Progent team gave us. That you were able to get our messaging and key servers back quicker than a week was beyond my wildest dreams. Each expert I got help from or texted at Progent was absolutely committed on getting us working again and was working 24/7 to bail us out."

Progent worked hand in hand the client to quickly assess and prioritize the most important applications that needed to be addressed to make it possible to continue business functions:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus event mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then started the steps of bringing back online Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Exchange email will not function without Windows AD, and the businessesí financials and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory for security authorization to the database.

Within 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then performed rebuilding and storage recovery on key systems. All Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on team desktop computers and laptops in order to recover mail information. A not too old off-line backup of the client's manufacturing systems made it possible to recover these vital programs back online for users. Although a large amount of work remained to recover totally from the Ryuk attack, essential services were restored quickly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer sales."

Throughout the following month key milestones in the restoration project were achieved through close cooperation between Progent team members and the customer:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory Control functions were fully recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user desktops were fully operational.

"Much of what occurred during the initial response is mostly a fog for me, but I will not soon forget the commitment each of the team put in to help get our business back. I have utilized Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A potential business-ending disaster was dodged through the efforts of results-oriented professionals, a broad range of IT skills, and close teamwork. Although upon completion of forensics the ransomware penetration described here should have been blocked with advanced cyber security systems and ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), Iím grateful for allowing me to get rested after we got through the initial fire. All of you did an amazing job, and if any of your team is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Sacramento a range of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize modern AI capability to detect new variants of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes next generation behavior machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely escape legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack progression including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate action. Progent can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end solution for secure backup/disaster recovery. Available at a low monthly rate, ProSight Data Protection Services automates your backup processes and enables rapid recovery of critical files, apps and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software glitches, disasters, human mistakes, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or to both. Progent's BDR specialists can deliver advanced expertise to set up ProSight Data Protection Services to be compliant with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever needed, can assist you to restore your critical information. Read more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to provide web-based control and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email traffic that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, track, reconfigure and troubleshoot their networking appliances like routers, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that network maps are always current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, locating devices that need critical updates, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that any potential issues can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether youíre making enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about Progent's ProSight IT Asset Management service.
For Sacramento 24-7 Crypto Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.