Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for organizations unprepared for an assault. Different iterations of ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to cause havoc. The latest variants of crypto-ransomware such as Ryuk and Hermes, as well as additional unnamed viruses, not only encrypt on-line information but also infect many configured system protection. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, it can make automatic restore operations impossible and basically knocks the entire system back to zero.

Restoring applications and data after a ransomware attack becomes a sprint against time as the victim struggles to stop lateral movement and remove the ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to replicate, attacks are frequently sprung on weekends, when successful attacks are likely to take longer to notice. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.

Progent offers an assortment of help services for securing businesses from ransomware events. Among these are team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security solutions with AI capabilities to rapidly discover and disable new cyber attacks. Progent also provides the assistance of veteran crypto-ransomware recovery engineers with the skills and perseverance to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Recovery Help
After a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the codes to decipher all your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the mission-critical elements of your Information Technology environment. Without access to complete system backups, this requires a wide complement of skill sets, well-coordinated project management, and the ability to work 24x7 until the task is over.

For decades, Progent has offered certified expert IT services for businesses in San Juan and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience gives Progent the skills to quickly identify necessary systems and re-organize the surviving pieces of your computer network system after a ransomware event and assemble them into a functioning system.

Progent's security group uses powerful project management tools to coordinate the sophisticated restoration process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to put essential systems back on line as fast as possible.

Client Story: A Successful Ransomware Virus Restoration
A small business hired Progent after their organization was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored hackers, possibly using algorithms exposed from Americaís National Security Agency. Ryuk targets specific companies with little or no tolerance for disruption and is among the most lucrative instances of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has about 500 employees. The Ryuk event had disabled all essential operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and praying for good luck, but in the end reached out to Progent.


"I cannot speak enough in regards to the support Progent gave us during the most fearful time of (our) companyís survival. We most likely would have paid the criminal gangs if it wasnít for the confidence the Progent group provided us. The fact that you could get our messaging and critical servers back on-line in less than seven days was amazing. Each consultant I spoke to or texted at Progent was urgently focused on getting us operational and was working 24/7 to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the key areas that needed to be recovered in order to restart departmental functions:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To start, Progent adhered to Anti-virus incident response best practices by isolating and cleaning systems of viruses. Progent then initiated the process of recovering Microsoft AD, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Windows AD, and the client's financials and MRP system utilized Microsoft SQL Server, which needs Active Directory services for security authorization to the databases.

Within 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then accomplished setup and hard drive recovery on critical systems. All Exchange ties and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers in order to recover email data. A recent off-line backup of the client's accounting/ERP systems made it possible to return these essential applications back online for users. Although a large amount of work remained to recover totally from the Ryuk damage, the most important systems were restored rapidly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer shipments."

Over the next month important milestones in the restoration project were made in tight collaboration between Progent team members and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Server containing more than 4 million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely functional.
  • A new Palo Alto Networks 850 firewall was set up.
  • Nearly all of the user workstations were fully operational.

"A huge amount of what was accomplished in the early hours is mostly a haze for me, but my management will not soon forget the dedication each of you accomplished to help get our business back. Iíve trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered. This time was a Herculean accomplishment."

Conclusion
A probable company-ending catastrophe was averted by dedicated professionals, a broad spectrum of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus incident described here should have been identified and stopped with current cyber security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and appropriate security procedures for information protection and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get some sleep after we made it past the initial fire. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in San Juan a portfolio of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely get by legacy signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to manage the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that helps you demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent attention. Progent can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and medium-sized organizations a low cost and fully managed service for secure backup/disaster recovery. Available at a low monthly cost, ProSight DPS automates your backup processes and allows fast restoration of critical data, applications and virtual machines that have become lost or damaged as a result of hardware breakdowns, software glitches, natural disasters, human error, or malware attacks such as ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Critical data can be protected on the cloud, to a local storage device, or mirrored to both. Progent's BDR specialists can provide advanced expertise to set up ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical data. Find out more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security companies to deliver centralized control and world-class security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway device provides a further level of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, track, enhance and troubleshoot their networking appliances like switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when problems are discovered. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating appliances that need critical updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your network running efficiently by tracking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your Progent consultant so all looming problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether youíre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7x365 San Juan Crypto-Ransomware Removal Experts, contact Progent at 800-993-9400 or go to Contact Progent.