Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that represents an existential threat for organizations poorly prepared for an attack. Versions of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict harm. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as more as yet unnamed viruses, not only encrypt online data files but also infect any configured system restores and backups. Data synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, this can render automatic restore operations useless and effectively knocks the network back to zero.

Retrieving services and data following a crypto-ransomware outage becomes a race against time as the targeted organization struggles to contain the damage and clear the virus and to resume mission-critical operations. Since crypto-ransomware requires time to spread, attacks are usually sprung during weekends and nights, when successful attacks are likely to take more time to discover. This multiplies the difficulty of rapidly assembling and coordinating a capable response team.

Progent has an assortment of services for securing businesses from ransomware penetrations. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security appliances with artificial intelligence technology to automatically discover and disable day-zero cyber attacks. Progent also can provide the services of experienced ransomware recovery professionals with the track record and perseverance to reconstruct a breached environment as urgently as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed keys to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the vital parts of your Information Technology environment. Without access to full system backups, this calls for a wide complement of skills, professional project management, and the capability to work continuously until the task is done.

For two decades, Progent has provided certified expert Information Technology services for companies in Sherman Oaks and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of expertise gives Progent the ability to knowledgably determine important systems and re-organize the surviving pieces of your network system after a ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts utilizes top notch project management tools to coordinate the complex recovery process. Progent knows the urgency of acting quickly and in concert with a customerís management and Information Technology resources to assign priority to tasks and to get essential applications back on line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Penetration Recovery
A customer escalated to Progent after their network was attacked by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored hackers, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk seeks specific companies with limited ability to sustain disruption and is one of the most profitable versions of ransomware viruses. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with around 500 employees. The Ryuk event had brought down all business operations and manufacturing processes. The majority of the client's data backups had been directly accessible at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom (exceeding $200,000) and hoping for good luck, but ultimately brought in Progent.


"I cannot thank you enough about the expertise Progent provided us throughout the most stressful time of (our) companyís life. We had little choice but to pay the hackers behind this attack except for the confidence the Progent team provided us. That you were able to get our e-mail system and key servers back faster than one week was incredible. Each person I interacted with or communicated with at Progent was urgently focused on getting us restored and was working 24 by 7 to bail us out."

Progent worked with the customer to rapidly assess and prioritize the key areas that needed to be addressed in order to restart departmental operations:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To get going, Progent adhered to Anti-virus incident mitigation best practices by isolating and clearing infected systems. Progent then initiated the process of rebuilding Microsoft AD, the core of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the customerís accounting and MRP applications used Microsoft SQL Server, which needs Active Directory for access to the data.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then accomplished setup and storage recovery of essential servers. All Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Off-Line Data Files) on team workstations in order to recover mail information. A recent offline backup of the businesses accounting/MRP software made them able to return these required programs back on-line. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were restored rapidly:


"For the most part, the production operation was never shut down and we produced all customer orders."

Throughout the following month critical milestones in the recovery project were achieved through tight cooperation between Progent team members and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory capabilities were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the desktop computers were back into operation.

"A lot of what happened in the initial days is nearly entirely a blur for me, but my team will not forget the countless hours each and every one of your team accomplished to help get our business back. I have utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A possible business extinction catastrophe was averted due to dedicated experts, a wide spectrum of knowledge, and tight teamwork. Although in post mortem the ransomware virus incident detailed here would have been identified and stopped with up-to-date security technology solutions and security best practices, staff education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for letting me get some sleep after we made it over the first week. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Sherman Oaks a portfolio of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI capability to uncover new strains of ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the complete malware attack progression including filtering, detection, containment, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a unified control. Progent's data protection and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate action. Progent's consultants can also help you to install and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery
    ProSight Data Protection Services provide small and medium-sized organizations a low cost end-to-end solution for secure backup/disaster recovery. Available at a fixed monthly rate, ProSight Data Protection Services automates your backup processes and allows rapid recovery of critical files, applications and virtual machines that have become lost or damaged due to hardware failures, software bugs, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you protect, recover and restore files, folders, applications, system images, as well as Microsoft Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or to both. Progent's BDR consultants can provide world-class support to configure ProSight Data Protection Services to to comply with regulatory standards like HIPAA, FINRA, and PCI and, when needed, can help you to restore your critical information. Find out more about ProSight Data Protection Services Managed Backup.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide web-based control and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard integrates cloud-based filtering with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map, track, reconfigure and troubleshoot their networking hardware like routers, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that need important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating efficiently by tracking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT staff and your Progent consultant so all potential problems can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether youíre planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Read more about Progent's ProSight IT Asset Management service.
For 24-Hour Sherman Oaks Crypto Repair Consultants, contact Progent at 800-993-9400 or go to Contact Progent.