Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes unprepared for an attack. Different iterations of ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for years and continue to inflict havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily as yet unnamed viruses, not only encrypt online data but also infiltrate all accessible system backups. Information synchronized to the cloud can also be encrypted. In a vulnerable environment, this can make any recovery impossible and basically sets the datacenter back to square one.

Getting back applications and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted organization struggles to stop the spread and eradicate the virus and to resume enterprise-critical operations. Because crypto-ransomware needs time to move laterally, attacks are often launched during nights and weekends, when attacks in many cases take longer to uncover. This compounds the difficulty of rapidly assembling and coordinating a capable response team.

Progent provides a range of help services for protecting organizations from ransomware events. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence technology to quickly discover and disable day-zero cyber threats. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the talent and commitment to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Restoration Help
After a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed keys to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the critical components of your Information Technology environment. Absent the availability of complete data backups, this calls for a broad complement of IT skills, top notch project management, and the ability to work 24x7 until the job is completed.

For two decades, Progent has offered expert IT services for companies in San Jose and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have earned high-level certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of expertise gives Progent the skills to efficiently understand necessary systems and re-organize the remaining components of your Information Technology system following a crypto-ransomware attack and rebuild them into an operational network.

Progent's security team of experts utilizes best of breed project management applications to orchestrate the complicated recovery process. Progent understands the importance of acting rapidly and in unison with a customerís management and Information Technology team members to prioritize tasks and to get essential systems back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Response
A small business hired Progent after their organization was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state sponsored criminal gangs, possibly adopting approaches exposed from the United States NSA organization. Ryuk seeks specific businesses with limited ability to sustain operational disruption and is one of the most lucrative versions of ransomware malware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with around 500 employees. The Ryuk event had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I canít thank you enough about the support Progent provided us during the most fearful period of (our) companyís survival. We most likely would have paid the hackers behind this attack except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and production servers back online quicker than seven days was earth shattering. Every single expert I interacted with or e-mailed at Progent was amazingly focused on getting us restored and was working breakneck pace to bail us out."

Progent worked hand in hand the client to rapidly assess and prioritize the key services that needed to be addressed in order to continue business operations:

  • Windows Active Directory
  • Email
  • Financials/MRP
To begin, Progent adhered to Anti-virus event response best practices by halting lateral movement and cleaning up infected systems. Progent then began the process of recovering Microsoft Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businessesí accounting and MRP system used SQL Server, which needs Active Directory services for authentication to the databases.

In less than 48 hours, Progent was able to recover Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery on the most important systems. All Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate intact OST files (Outlook Offline Folder Files) on user workstations and laptops in order to recover mail information. A recent offline backup of the customerís financials/ERP systems made them able to restore these essential programs back online for users. Although a large amount of work was left to recover totally from the Ryuk virus, critical services were returned to operations rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer orders."

Throughout the next couple of weeks important milestones in the recovery process were achieved through tight cooperation between Progent consultants and the client:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory modules were 100% operational.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user desktops were fully operational.

"A huge amount of what transpired that first week is nearly entirely a blur for me, but my team will not soon forget the commitment each and every one of you accomplished to help get our business back. Iíve utilized Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This event was a testament to your capabilities."

Conclusion
A possible business-killing catastrophe was dodged by dedicated professionals, a wide array of IT skills, and close collaboration. Although in retrospect the ransomware virus incident described here could have been prevented with modern cyber security technology and recognized best practices, user and IT administrator education, and well thought out incident response procedures for information backup and applying software patches, the fact is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has proven experience in ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for making it so I could get rested after we made it through the first week. All of you did an fabulous effort, and if any of your team is in the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in San Jose a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services include next-generation machine learning technology to uncover new strains of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a single platform to manage the entire threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized businesses an affordable end-to-end solution for reliable backup/disaster recovery (BDR). For a low monthly price, ProSight DPS automates and monitors your backup processes and enables rapid recovery of vital files, applications and virtual machines that have become lost or corrupted as a result of hardware failures, software bugs, disasters, human mistakes, or malicious attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to a local storage device, or to both. Progent's backup and recovery consultants can deliver world-class expertise to set up ProSight DPS to be compliant with regulatory requirements such as HIPAA, FIRPA, PCI and Safe Harbor and, when necessary, can assist you to recover your business-critical data. Read more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security vendors to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with a local gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway device adds a deeper level of analysis for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, enhance and troubleshoot their networking appliances like routers, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex network management processes, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that require important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management staff and your Progent engineering consultant so all looming issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By updating and organizing your network documentation, you can save up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youíre planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about ProSight IT Asset Management service.
For 24/7/365 San Jose Crypto Repair Consultants, contact Progent at 800-993-9400 or go to Contact Progent.