Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that represents an existential threat for organizations poorly prepared for an attack. Different versions of ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with daily as yet unnamed malware, not only do encryption of on-line files but also infect most configured system backup. Data synchronized to the cloud can also be ransomed. In a poorly architected data protection solution, it can render any recovery useless and effectively sets the datacenter back to square one.

Getting back online applications and information after a ransomware attack becomes a sprint against time as the targeted organization struggles to contain the damage and cleanup the virus and to restore mission-critical operations. Because ransomware requires time to move laterally, assaults are frequently sprung on weekends, when attacks typically take longer to recognize. This multiplies the difficulty of promptly marshalling and organizing an experienced mitigation team.

Progent provides a range of services for securing businesses from ransomware penetrations. These include user education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with machine learning technology to quickly detect and quarantine day-zero cyber threats. Progent also offers the assistance of experienced crypto-ransomware recovery consultants with the track record and perseverance to restore a compromised network as soon as possible.

Progent's Ransomware Restoration Services
Soon after a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed codes to decrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the vital parts of your Information Technology environment. Absent the availability of complete information backups, this calls for a broad complement of skill sets, top notch project management, and the willingness to work non-stop until the job is complete.

For two decades, Progent has made available professional Information Technology services for businesses in Stockton and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to efficiently identify critical systems and re-organize the surviving components of your computer network environment after a ransomware penetration and configure them into an operational system.

Progent's security team of experts deploys powerful project management systems to coordinate the sophisticated recovery process. Progent understands the importance of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put the most important systems back on-line as soon as possible.

Customer Story: A Successful Ransomware Intrusion Response
A customer engaged Progent after their company was crashed by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, suspected of using technology leaked from the United States National Security Agency. Ryuk seeks specific organizations with little room for operational disruption and is among the most lucrative instances of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area and has around 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's system backups had been online at the start of the intrusion and were encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot speak enough in regards to the support Progent gave us during the most critical time of (our) companyís life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you could get our messaging and critical applications back on-line faster than five days was earth shattering. Every single consultant I spoke to or e-mailed at Progent was totally committed on getting us restored and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to quickly identify and prioritize the key systems that had to be restored in order to continue company functions:

  • Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent adhered to ransomware penetration response industry best practices by isolating and clearing up compromised systems. Progent then started the task of bringing back online Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the customerís MRP system used Microsoft SQL, which needs Active Directory for authentication to the information.

Within 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then completed rebuilding and hard drive recovery of critical applications. All Microsoft Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Data Files) on user PCs to recover email information. A not too old offline backup of the businesses accounting systems made it possible to recover these required programs back servicing users. Although major work remained to recover completely from the Ryuk attack, critical systems were recovered rapidly:


"For the most part, the production operation ran fairly normal throughout and we did not miss any customer orders."

During the next few weeks important milestones in the restoration project were completed through close cooperation between Progent consultants and the client:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Server containing more than 4 million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user workstations were being used by staff.

"Much of what transpired in the initial days is nearly entirely a fog for me, but our team will not soon forget the dedication each of the team accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A probable business-ending catastrophe was evaded through the efforts of results-oriented experts, a wide range of subject matter expertise, and tight collaboration. Although in post mortem the ransomware virus incident detailed here could have been stopped with modern security systems and NIST Cybersecurity Framework best practices, staff education, and properly executed security procedures for backup and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has proven experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), Iím grateful for making it so I could get rested after we made it over the initial push. All of you did an impressive job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Stockton a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services incorporate modern AI technology to detect zero-day strains of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates next generation behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to automate the complete malware attack progression including protection, infiltration detection, mitigation, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge tools packaged within one agent managed from a single control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with government and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and mid-sized organizations an affordable end-to-end service for reliable backup/disaster recovery (BDR). For a low monthly cost, ProSight DPS automates and monitors your backup activities and enables rapid recovery of critical data, apps and virtual machines that have become unavailable or damaged due to component failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, retrieve and restore files, folders, apps, system images, plus Hyper-V and VMware images/. Important data can be backed up on the cloud, to a local device, or mirrored to both. Progent's BDR specialists can provide world-class support to configure ProSight Data Protection Services to be compliant with regulatory requirements like HIPAA, FINRA, and PCI and, when needed, can help you to recover your critical information. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to provide web-based management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, track, enhance and debug their connectivity hardware like routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, copies and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are detected. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating appliances that need important updates, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating efficiently by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT management staff and your Progent engineering consultant so that all potential problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time thrown away looking for critical information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24x7 Stockton CryptoLocker Removal Consultants, contact Progent at 800-993-9400 or go to Contact Progent.