Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that poses an extinction-level danger for businesses of all sizes unprepared for an assault. Versions of ransomware such as CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for years and still inflict destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus frequent as yet unnamed malware, not only do encryption of on-line files but also infect many available system protection mechanisms. Data synched to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can render any recovery impossible and effectively knocks the datacenter back to zero.

Recovering applications and data after a ransomware intrusion becomes a race against the clock as the targeted organization fights to contain the damage and cleanup the ransomware and to restore business-critical activity. Due to the fact that ransomware takes time to replicate, assaults are frequently launched on weekends and holidays, when attacks in many cases take more time to uncover. This compounds the difficulty of promptly marshalling and organizing an experienced mitigation team.

Progent provides an assortment of help services for securing businesses from ransomware penetrations. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security solutions with machine learning capabilities to intelligently detect and suppress zero-day threats. Progent in addition offers the services of expert crypto-ransomware recovery professionals with the track record and perseverance to restore a breached environment as urgently as possible.

Progent's Ransomware Restoration Services
Following a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the keys to decipher any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be around $13,000. The alternative is to piece back together the essential components of your Information Technology environment. Without the availability of complete information backups, this calls for a broad complement of skills, professional team management, and the willingness to work non-stop until the recovery project is done.

For two decades, Progent has made available certified expert IT services for businesses in San Jose and across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained advanced certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise gives Progent the skills to rapidly identify important systems and integrate the surviving pieces of your network system after a crypto-ransomware attack and configure them into an operational system.

Progent's recovery group deploys top notch project management applications to orchestrate the complex recovery process. Progent understands the urgency of working rapidly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get essential services back on line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Attack Response
A small business contacted Progent after their company was attacked by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored cybercriminals, possibly using technology leaked from the United States National Security Agency. Ryuk goes after specific organizations with little tolerance for operational disruption and is among the most profitable instances of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the attack and were damaged. The client considered paying the ransom demand (exceeding $200K) and hoping for good luck, but in the end utilized Progent.


"I cannot tell you enough about the expertise Progent provided us throughout the most stressful time of (our) businesses life. We may have had to pay the hackers behind this attack if not for the confidence the Progent experts provided us. That you could get our e-mail and key servers back on-line faster than 1 week was beyond my wildest dreams. Each expert I interacted with or e-mailed at Progent was amazingly focused on getting our company operational and was working at all hours to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the critical applications that had to be addressed in order to restart departmental operations:

  • Microsoft Active Directory
  • Electronic Messaging
  • Financials/MRP
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then started the work of rebuilding Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the businessesí accounting and MRP applications used Microsoft SQL Server, which depends on Active Directory services for authentication to the data.

In less than 2 days, Progent was able to recover Active Directory to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of the most important servers. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Offline Data Files) on staff desktop computers and laptops in order to recover email information. A recent off-line backup of the client's accounting systems made it possible to restore these required applications back available to users. Although a large amount of work remained to recover totally from the Ryuk attack, the most important services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."

Over the next couple of weeks important milestones in the recovery project were achieved through close cooperation between Progent consultants and the client:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Exchange Server with over four million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Nearly all of the user desktops were functioning as before the incident.

"A lot of what transpired during the initial response is nearly entirely a haze for me, but we will not soon forget the countless hours each and every one of the team put in to give us our business back. Iíve entrusted Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was a Herculean accomplishment."

Conclusion
A potential business-killing disaster was averted by hard-working experts, a broad spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware incident detailed here would have been identified and prevented with advanced security systems and NIST Cybersecurity Framework best practices, team education, and properly executed security procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get some sleep after we made it through the first week. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in San Jose a portfolio of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence technology to detect zero-day variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the complete malware attack lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering through cutting-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost and fully managed solution for secure backup/disaster recovery (BDR). For a low monthly rate, ProSight Data Protection Services automates and monitors your backup activities and enables rapid restoration of critical files, applications and VMs that have become unavailable or corrupted as a result of hardware failures, software bugs, natural disasters, human error, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware virtual machine images. Critical data can be protected on the cloud, to an on-promises storage device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to set up ProSight DPS to to comply with regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to restore your business-critical data. Read more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based management and comprehensive security for your email traffic. The powerful structure of Email Guard combines cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further level of inspection for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map, monitor, reconfigure and debug their networking appliances such as routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect data related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can eliminate up to half of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.
For 24-7 San Jose Crypto-Ransomware Cleanup Consultants, call Progent at 800-993-9400 or go to Contact Progent.