Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that poses an existential danger for businesses of all sizes unprepared for an assault. Multiple generations of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Modern variants of ransomware like Ryuk and Hermes, along with frequent unnamed viruses, not only encrypt online data but also infect all accessible system backups. Files synchronized to cloud environments can also be rendered useless. In a vulnerable environment, it can render automated restore operations hopeless and effectively sets the network back to square one.

Getting back on-line services and information after a ransomware attack becomes a race against time as the victim struggles to contain and eradicate the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware takes time to spread, assaults are often sprung on weekends and holidays, when attacks may take more time to notice. This compounds the difficulty of promptly mobilizing and organizing a knowledgeable response team.

Progent provides a range of help services for protecting organizations from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning capabilities to rapidly identify and extinguish new cyber threats. Progent in addition provides the services of seasoned ransomware recovery professionals with the talent and commitment to reconstruct a compromised network as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware event, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to decipher any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the critical parts of your IT environment. Without access to essential data backups, this requires a wide complement of IT skills, professional project management, and the capability to work 24x7 until the job is completed.

For decades, Progent has made available expert IT services for businesses in Santa Cruz and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the ability to quickly identify important systems and consolidate the surviving pieces of your IT system after a ransomware attack and assemble them into an operational system.

Progent's security group deploys best of breed project management applications to orchestrate the complicated restoration process. Progent understands the importance of working swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to get key services back on-line as fast as possible.

Customer Story: A Successful Ransomware Virus Recovery
A small business hired Progent after their organization was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, suspected of adopting approaches exposed from Americaís NSA organization. Ryuk seeks specific organizations with little room for operational disruption and is one of the most profitable versions of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago with around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200K) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot thank you enough in regards to the support Progent gave us during the most critical period of (our) companyís life. We had little choice but to pay the criminal gangs except for the confidence the Progent team afforded us. That you were able to get our e-mail system and critical applications back into operation faster than five days was something I thought impossible. Each expert I got help from or communicated with at Progent was absolutely committed on getting us restored and was working non-stop on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the essential services that needed to be recovered in order to restart departmental functions:

  • Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by isolating and clearing up compromised systems. Progent then initiated the steps of recovering Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the customerís MRP applications leveraged SQL Server, which needs Active Directory for security authorization to the database.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then helped perform rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on various PCs in order to recover mail information. A not too old off-line backup of the businesses financials/ERP software made it possible to return these required applications back online. Although a large amount of work was left to recover fully from the Ryuk event, core services were recovered rapidly:


"For the most part, the assembly line operation survived unscathed and we did not miss any customer sales."

Throughout the following month key milestones in the recovery process were completed through close collaboration between Progent engineers and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server with over four million archived emails was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully functional.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the user desktops and notebooks were fully operational.

"So much of what happened that first week is nearly entirely a blur for me, but our team will not forget the urgency all of your team put in to help get our company back. Iíve trusted Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This situation was the most impressive ever."

Conclusion
A potential business extinction catastrophe was avoided through the efforts of dedicated experts, a wide array of IT skills, and close teamwork. Although in post mortem the ransomware virus attack described here could have been identified and blocked with current security technology solutions and ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for allowing me to get rested after we made it through the most critical parts. All of you did an amazing job, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Santa Cruz a variety of online monitoring and security evaluation services designed to assist you to reduce the threat from crypto-ransomware. These services include modern artificial intelligence capability to detect zero-day variants of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to address the complete threat lifecycle including protection, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer economical in-depth security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge tools packaged within a single agent managed from a single control. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your organization's specific requirements and that allows you prove compliance with government and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also assist your company to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight Data Protection Services automates and monitors your backup processes and enables fast recovery of vital data, applications and virtual machines that have become unavailable or corrupted due to hardware breakdowns, software bugs, natural disasters, human error, or malware attacks like ransomware. ProSight Data Protection Services can help you back up, retrieve and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to a local device, or mirrored to both. Progent's BDR consultants can provide advanced expertise to configure ProSight DPS to be compliant with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever needed, can help you to recover your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security vendors to deliver web-based control and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of analysis for incoming email. For outbound email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, enhance and debug their networking hardware such as switches, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are always updated, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating complex network management activities, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, locating devices that need important software patches, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management staff and your Progent engineering consultant so that all potential issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save up to half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Santa Cruz 24/7 Crypto-Ransomware Repair Consulting, call Progent at 800-993-9400 or go to Contact Progent.