Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyber pandemic that represents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Versions of crypto-ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and continue to cause destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as additional as yet unnamed viruses, not only encrypt online data but also infect many accessible system restores and backups. Information synched to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make automated restoration impossible and effectively sets the entire system back to zero.

Getting back online services and information after a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain the damage and remove the ransomware and to resume enterprise-critical activity. Since ransomware requires time to replicate, assaults are frequently sprung during weekends and nights, when attacks tend to take more time to discover. This compounds the difficulty of quickly assembling and coordinating a capable response team.

Progent offers a variety of solutions for protecting enterprises from ransomware attacks. Among these are team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with machine learning capabilities to intelligently detect and quarantine day-zero cyber threats. Progent also provides the assistance of experienced crypto-ransomware recovery professionals with the skills and perseverance to rebuild a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will respond with the needed codes to decipher all your information. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the key components of your Information Technology environment. Absent the availability of full information backups, this requires a broad complement of IT skills, well-coordinated project management, and the capability to work 24x7 until the job is over.

For twenty years, Progent has made available expert Information Technology services for companies in San Francisco and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience gives Progent the skills to quickly understand important systems and integrate the surviving parts of your IT environment following a ransomware attack and rebuild them into an operational network.

Progent's recovery group has top notch project management tools to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and IT resources to prioritize tasks and to put critical systems back online as soon as humanly possible.

Client Story: A Successful Ransomware Penetration Restoration
A customer hired Progent after their organization was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state cybercriminals, possibly using technology leaked from Americaís NSA organization. Ryuk targets specific organizations with limited room for operational disruption and is one of the most profitable iterations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with around 500 employees. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's data backups had been online at the beginning of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and praying for the best, but in the end called Progent.


"I canít say enough in regards to the care Progent gave us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent team afforded us. That you were able to get our e-mail system and key applications back online faster than seven days was earth shattering. Each expert I interacted with or communicated with at Progent was totally committed on getting our system up and was working all day and night to bail us out."

Progent worked together with the customer to rapidly identify and prioritize the key elements that had to be restored to make it possible to restart company operations:

  • Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus penetration response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then began the process of bringing back online Windows Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without AD, and the customerís accounting and MRP system used Microsoft SQL Server, which needs Active Directory for authentication to the data.

Within two days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then helped perform setup and hard drive recovery of key servers. All Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Off-Line Folder Files) on staff PCs in order to recover mail information. A recent off-line backup of the customerís accounting/MRP software made it possible to recover these required applications back on-line. Although a large amount of work was left to recover fully from the Ryuk virus, the most important services were recovered quickly:


"For the most part, the production line operation showed little impact and we did not miss any customer deliverables."

Throughout the following couple of weeks key milestones in the recovery process were completed through close collaboration between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were completely functional.
  • A new Palo Alto 850 security appliance was installed.
  • Most of the desktops and laptops were operational.

"So much of what was accomplished during the initial response is nearly entirely a blur for me, but we will not soon forget the care each and every one of the team accomplished to give us our company back. I have been working with Progent for the past ten years, maybe more, and each time Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential business-killing disaster was avoided through the efforts of dedicated professionals, a wide array of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware penetration described here should have been prevented with advanced cyber security systems and best practices, user and IT administrator education, and appropriate incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incident, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), Iím grateful for making it so I could get rested after we made it over the initial fire. Everyone did an impressive job, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in San Francisco a range of online monitoring and security evaluation services to help you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning technology to detect zero-day strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning technology to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the complete malware attack progression including protection, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your company's specific needs and that allows you prove compliance with government and industry information security regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent's consultants can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and mid-sized businesses a low cost end-to-end solution for secure backup/disaster recovery (BDR). Available at a low monthly cost, ProSight Data Protection Services automates your backup activities and allows rapid restoration of critical files, applications and VMs that have become lost or damaged due to hardware failures, software bugs, disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, recover and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Critical data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery consultants can deliver advanced support to set up ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to provide centralized management and world-class security for all your email traffic. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises security gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to diagram, track, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when issues are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding appliances that require important updates, or isolating performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by tracking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management staff and your Progent consultant so all looming issues can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to an alternate hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about ProSight IT Asset Management service.
For San Francisco 24x7x365 Crypto-Ransomware Remediation Services, call Progent at 800-993-9400 or go to Contact Progent.