Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations vulnerable to an assault. Different iterations of crypto-ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to cause havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent as yet unnamed viruses, not only do encryption of on-line information but also infect most available system protection mechanisms. Data synched to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, it can make any recovery impossible and effectively knocks the entire system back to square one.

Getting back programs and data following a ransomware intrusion becomes a race against time as the victim struggles to stop the spread and cleanup the ransomware and to resume business-critical activity. Since ransomware takes time to move laterally, attacks are usually launched during weekends and nights, when attacks tend to take longer to detect. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.

Progent has an assortment of support services for securing organizations from ransomware events. These include team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security appliances with machine learning capabilities to quickly discover and extinguish new cyber attacks. Progent also can provide the assistance of veteran crypto-ransomware recovery engineers with the skills and perseverance to restore a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decrypt any of your data. Kaspersky determined that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to re-install the vital components of your Information Technology environment. Without access to full system backups, this requires a wide range of skills, professional team management, and the ability to work non-stop until the task is over.

For twenty years, Progent has provided certified expert IT services for companies in San Juan and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience with accounting and ERP applications. This breadth of expertise provides Progent the skills to efficiently ascertain critical systems and re-organize the remaining parts of your computer network environment after a ransomware penetration and assemble them into a functioning network.

Progent's security group uses state-of-the-art project management tools to coordinate the complex restoration process. Progent understands the urgency of acting rapidly and in unison with a customerís management and IT resources to assign priority to tasks and to put the most important systems back on-line as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Incident Recovery
A small business hired Progent after their company was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, suspected of using approaches exposed from Americaís NSA organization. Ryuk goes after specific organizations with limited tolerance for disruption and is one of the most profitable instances of crypto-ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk penetration had brought down all company operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (more than $200,000) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I canít say enough about the help Progent gave us throughout the most stressful time of (our) companyís life. We had little choice but to pay the Hackers if not for the confidence the Progent team provided us. That you could get our e-mail and essential applications back into operation faster than seven days was beyond my wildest dreams. Every single expert I worked with or communicated with at Progent was absolutely committed on getting my company operational and was working 24 by 7 on our behalf."

Progent worked together with the customer to quickly identify and prioritize the key systems that had to be addressed to make it possible to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes incident response best practices by isolating and clearing infected systems. Progent then initiated the work of bringing back online Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without Active Directory, and the businessesí MRP system utilized SQL Server, which depends on Active Directory services for access to the databases.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and storage recovery of mission critical servers. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Off-Line Folder Files) on various PCs in order to recover mail data. A recent off-line backup of the customerís manufacturing systems made them able to restore these required applications back available to users. Although significant work still had to be done to recover fully from the Ryuk virus, critical systems were returned to operations quickly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer sales."

During the following few weeks important milestones in the restoration process were made in close collaboration between Progent team members and the customer:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Exchange Server exceeding 4 million archived emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
  • A new Palo Alto 850 firewall was brought on-line.
  • Ninety percent of the desktops and laptops were fully operational.

"Much of what happened during the initial response is mostly a fog for me, but my management will not soon forget the commitment each and every one of the team accomplished to help get our company back. I have been working together with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A probable business extinction disaster was evaded with top-tier experts, a wide spectrum of IT skills, and tight teamwork. Although in post mortem the ransomware attack described here could have been disabled with modern cyber security technology solutions and security best practices, team training, and well designed incident response procedures for information backup and applying software patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thank you for letting me get some sleep after we got through the most critical parts. All of you did an amazing effort, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in San Juan a range of online monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate modern machine learning technology to detect zero-day strains of crypto-ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the complete malware attack progression including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent accessible from a single console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you demonstrate compliance with government and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also assist you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services offer small and medium-sized organizations an affordable and fully managed service for reliable backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates your backup processes and allows rapid restoration of critical files, apps and VMs that have become unavailable or corrupted due to hardware breakdowns, software glitches, natural disasters, human error, or malicious attacks like ransomware. ProSight Data Protection Services can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery consultants can deliver advanced expertise to configure ProSight DPS to be compliant with regulatory standards such as HIPAA, FIRPA, and PCI and, whenever necessary, can assist you to recover your business-critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security vendors to provide centralized control and comprehensive security for all your email traffic. The powerful structure of Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of inspection for incoming email. For outbound email, the local gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, monitor, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and access points plus servers, printers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are always updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when problems are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating appliances that need critical software patches, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT staff and your Progent consultant so any potential issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported easily to a different hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youíre making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.
For San Juan 24x7 Crypto Remediation Help, contact Progent at 800-993-9400 or go to Contact Progent.