Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that represents an extinction-level danger for organizations unprepared for an attack. Multiple generations of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to inflict havoc. More recent strains of crypto-ransomware such as Ryuk and Hermes, as well as frequent as yet unnamed viruses, not only encrypt on-line files but also infiltrate all accessible system backup. Data synchronized to the cloud can also be rendered useless. In a vulnerable data protection solution, this can make automated restore operations hopeless and basically knocks the entire system back to zero.

Recovering applications and information following a ransomware event becomes a sprint against time as the targeted business tries its best to contain and clear the ransomware and to restore mission-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are frequently sprung during nights and weekends, when successful attacks may take more time to recognize. This compounds the difficulty of promptly marshalling and coordinating a capable mitigation team.

Progent offers a range of solutions for securing businesses from ransomware attacks. Among these are user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with artificial intelligence capabilities to quickly discover and suppress zero-day threats. Progent also provides the assistance of veteran ransomware recovery consultants with the track record and commitment to reconstruct a breached network as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware event, paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decipher any of your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the vital elements of your IT environment. Without access to full information backups, this requires a broad complement of IT skills, professional project management, and the ability to work continuously until the task is over.

For twenty years, Progent has provided certified expert Information Technology services for businesses in San Rafael and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience gives Progent the capability to knowledgably determine critical systems and organize the remaining parts of your Information Technology system after a ransomware event and assemble them into an operational system.

Progent's ransomware team of experts uses top notch project management systems to coordinate the sophisticated restoration process. Progent understands the importance of working swiftly and together with a customerís management and IT resources to assign priority to tasks and to get the most important applications back online as soon as possible.

Case Study: A Successful Ransomware Attack Recovery
A business escalated to Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been launched by Northern Korean state hackers, suspected of adopting techniques exposed from the United States National Security Agency. Ryuk targets specific businesses with little room for disruption and is one of the most lucrative instances of ransomware viruses. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has about 500 employees. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's backups had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom (more than $200,000) and hoping for the best, but ultimately reached out to Progent.


"I canít say enough in regards to the support Progent provided us during the most critical period of (our) companyís life. We may have had to pay the cybercriminals if not for the confidence the Progent team afforded us. That you were able to get our e-mail system and important servers back on-line quicker than a week was earth shattering. Each consultant I got help from or texted at Progent was absolutely committed on getting our company operational and was working at all hours on our behalf."

Progent worked together with the customer to quickly get our arms around and prioritize the key applications that had to be restored in order to resume company functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes incident response industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the work of recovering Microsoft AD, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without AD, and the customerís financials and MRP system leveraged Microsoft SQL Server, which needs Active Directory services for access to the databases.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then performed reinstallations and storage recovery on needed servers. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Off-Line Folder Files) on team PCs in order to recover email data. A recent off-line backup of the businesses accounting/MRP software made them able to return these required programs back online for users. Although major work still had to be done to recover completely from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the production operation ran fairly normal throughout and we made all customer sales."

Over the next couple of weeks important milestones in the restoration project were accomplished through close cooperation between Progent engineers and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were completely restored.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user workstations were being used by staff.

"A huge amount of what went on during the initial response is nearly entirely a haze for me, but we will not forget the care all of the team accomplished to help get our company back. Iíve entrusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered. This event was a stunning achievement."

Conclusion
A possible company-ending catastrophe was evaded due to hard-working experts, a broad range of subject matter expertise, and close collaboration. Although in hindsight the crypto-ransomware virus penetration detailed here would have been disabled with advanced security systems and security best practices, staff training, and well thought out incident response procedures for backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get some sleep after we made it past the initial fire. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in San Rafael a range of remote monitoring and security assessment services to help you to minimize the threat from ransomware. These services incorporate modern AI technology to uncover new strains of ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a unified platform to manage the entire threat progression including filtering, detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services from Progent offer small and medium-sized businesses a low cost and fully managed solution for secure backup/disaster recovery. Available at a low monthly rate, ProSight DPS automates your backup processes and allows fast recovery of vital data, apps and VMs that have become lost or damaged due to component failures, software glitches, disasters, human mistakes, or malicious attacks such as ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, apps, system images, as well as Microsoft Hyper-V and VMware images/. Critical data can be backed up on the cloud, to an on-promises device, or to both. Progent's cloud backup specialists can provide advanced expertise to set up ProSight Data Protection Services to be compliant with government and industry regulatory requirements like HIPAA, FIRPA, PCI and Safe Harbor and, whenever necessary, can help you to restore your business-critical data. Learn more about ProSight Data Protection Services Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to provide centralized management and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a further level of analysis for inbound email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their networking hardware such as switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that need critical updates, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT management staff and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can save up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youíre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.
For San Rafael 24/7/365 CryptoLocker Repair Help, contact Progent at 800-993-9400 or go to Contact Progent.