Ransomware : Your Worst IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that represents an extinction-level threat for businesses poorly prepared for an attack. Different versions of ransomware like the CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more as yet unnamed viruses, not only encrypt online files but also infiltrate most available system restores and backups. Data synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can render any restoration useless and basically sets the entire system back to square one.

Getting back online applications and information following a crypto-ransomware attack becomes a race against time as the victim struggles to contain and clear the ransomware and to restore enterprise-critical activity. Since ransomware needs time to spread, attacks are frequently sprung during nights and weekends, when successful penetrations in many cases take longer to identify. This compounds the difficulty of quickly marshalling and coordinating a capable response team.

Progent provides an assortment of services for securing organizations from ransomware attacks. Among these are team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security solutions with AI technology to quickly identify and quarantine new cyber attacks. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the skills and perseverance to restore a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will respond with the keys to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the critical elements of your Information Technology environment. Absent access to essential data backups, this calls for a broad complement of IT skills, well-coordinated project management, and the willingness to work continuously until the recovery project is complete.

For decades, Progent has provided professional IT services for companies in Petaluma and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience affords Progent the skills to knowledgably identify critical systems and integrate the surviving components of your Information Technology system following a ransomware penetration and configure them into a functioning network.

Progent's ransomware group utilizes top notch project management applications to orchestrate the complicated restoration process. Progent appreciates the urgency of working quickly and in concert with a client's management and Information Technology staff to assign priority to tasks and to get critical services back on line as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A customer sought out Progent after their network system was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, suspected of using approaches leaked from the United States NSA organization. Ryuk targets specific companies with little room for disruption and is among the most lucrative versions of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has around 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but ultimately brought in Progent.


"I canít speak enough about the help Progent provided us during the most stressful period of (our) businesses existence. We would have paid the cyber criminals behind the attack if not for the confidence the Progent team gave us. That you could get our messaging and key servers back quicker than one week was incredible. Every single staff member I spoke to or communicated with at Progent was hell bent on getting us operational and was working at all hours on our behalf."

Progent worked hand in hand the client to quickly get our arms around and prioritize the mission critical elements that needed to be restored to make it possible to continue business functions:

  • Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent adhered to Anti-virus incident response best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the steps of restoring Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the businessesí financials and MRP applications utilized SQL Server, which needs Active Directory for security authorization to the data.

In less than 2 days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then performed rebuilding and storage recovery on key systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Offline Folder Files) on various desktop computers to recover email information. A recent offline backup of the businesses accounting/MRP systems made it possible to restore these essential programs back servicing users. Although major work needed to be completed to recover fully from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the assembly line operation was never shut down and we did not miss any customer shipments."

Over the next couple of weeks critical milestones in the recovery process were achieved through close cooperation between Progent engineers and the client:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user workstations were operational.

"A lot of what occurred those first few days is nearly entirely a fog for me, but we will not soon forget the dedication all of the team put in to give us our company back. Iíve been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential business disaster was averted with dedicated experts, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here would have been disabled with modern security systems and best practices, user and IT administrator training, and appropriate security procedures for backup and applying software patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were helping), Iím grateful for making it so I could get rested after we made it through the initial push. Everyone did an fabulous job, and if anyone is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Petaluma a portfolio of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services include modern artificial intelligence capability to detect new variants of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services offer small and mid-sized organizations an affordable and fully managed solution for reliable backup/disaster recovery. Available at a low monthly price, ProSight Data Protection Services automates and monitors your backup processes and enables rapid recovery of critical data, applications and virtual machines that have become unavailable or damaged due to hardware breakdowns, software bugs, natural disasters, human mistakes, or malicious attacks like ransomware. ProSight Data Protection Services can help you back up, recover and restore files, folders, applications, system images, as well as Hyper-V and VMware virtual machine images. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's BDR specialists can provide advanced support to set up ProSight DPS to be compliant with regulatory requirements like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical data. Learn more about ProSight Data Protection Services Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and world-class security for all your email traffic. The powerful structure of Email Guard combines cloud-based filtering with an on-premises gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a first line of defense and keeps most threats from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further layer of analysis for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, optimize and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration information of almost all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that require important software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system running efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management staff and your assigned Progent consultant so all looming problems can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to a different hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24x7 Petaluma CryptoLocker Removal Support Services, reach out to Progent at 800-993-9400 or go to Contact Progent.