Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that poses an enterprise-level threat for businesses poorly prepared for an assault. Different iterations of crypto-ransomware such as CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as more unnamed viruses, not only encrypt online information but also infiltrate many configured system restores and backups. Files replicated to the cloud can also be encrypted. In a poorly architected data protection solution, this can render automatic recovery impossible and basically sets the datacenter back to zero.

Restoring services and information following a ransomware event becomes a race against time as the victim struggles to contain the damage and remove the virus and to resume enterprise-critical activity. Since ransomware takes time to move laterally, assaults are usually sprung on weekends, when successful penetrations are likely to take longer to discover. This multiplies the difficulty of promptly marshalling and orchestrating a qualified mitigation team.

Progent makes available an assortment of help services for securing businesses from ransomware events. Among these are team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with machine learning technology from SentinelOne to identify and suppress day-zero threats intelligently. Progent in addition offers the services of veteran ransomware recovery engineers with the track record and perseverance to reconstruct a compromised environment as quickly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will respond with the keys to decrypt all your information. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Without the availability of complete system backups, this requires a broad range of skill sets, well-coordinated project management, and the willingness to work continuously until the job is over.

For twenty years, Progent has offered certified expert IT services for companies in Addison and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience gives Progent the skills to quickly identify necessary systems and re-organize the remaining parts of your computer network environment after a ransomware penetration and assemble them into a functioning system.

Progent's security team utilizes powerful project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of working rapidly and together with a customer's management and IT staff to assign priority to tasks and to put critical systems back on-line as fast as possible.

Customer Story: A Successful Ransomware Attack Recovery
A client sought out Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, suspected of using technology leaked from America's National Security Agency. Ryuk attacks specific organizations with little or no room for operational disruption and is one of the most profitable versions of ransomware malware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with about 500 staff members. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (more than $200,000) and hoping for good luck, but ultimately engaged Progent.


"I cannot say enough in regards to the help Progent provided us during the most fearful time of (our) company's life. We most likely would have paid the cyber criminals except for the confidence the Progent experts gave us. That you could get our messaging and key applications back online in less than five days was earth shattering. Every single person I talked with or texted at Progent was hell bent on getting our company operational and was working non-stop to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the essential applications that needed to be restored to make it possible to resume departmental functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting/MRP
To start, Progent adhered to ransomware penetration response best practices by halting the spread and cleaning systems of viruses. Progent then initiated the steps of rebuilding Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the customer's financials and MRP software leveraged SQL Server, which needs Active Directory for security authorization to the data.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of critical applications. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on various PCs and laptops to recover mail messages. A recent off-line backup of the businesses accounting software made them able to restore these essential applications back on-line. Although major work needed to be completed to recover completely from the Ryuk damage, core services were restored rapidly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer deliverables."

Throughout the next few weeks important milestones in the restoration project were completed in close cooperation between Progent engineers and the client:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control modules were 100% functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the desktop computers were functioning as before the incident.

"So much of what went on that first week is nearly entirely a haze for me, but we will not forget the countless hours each of you put in to give us our company back. I've entrusted Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was the most impressive ever."

Conclusion
A possible business-ending disaster was dodged through the efforts of top-tier experts, a broad array of technical expertise, and close collaboration. Although in retrospect the crypto-ransomware incident detailed here should have been identified and blocked with advanced security technology and ISO/IEC 27001 best practices, staff education, and well designed security procedures for data backup and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for making it so I could get rested after we got over the first week. Everyone did an amazing job, and if anyone is in the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Addison a portfolio of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize modern AI technology to detect zero-day strains of ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight ASM safeguards local and cloud resources and offers a unified platform to address the complete malware attack lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's specific needs and that helps you prove compliance with legal and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also assist your company to install and test a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup technology companies to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and enable non-disruptive backup and rapid recovery of important files, applications, images, and virtual machines. ProSight DPS helps you recover from data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, malicious insiders, or software bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security companies to deliver centralized control and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper layer of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to diagram, monitor, optimize and debug their networking appliances like routers and switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are kept updated, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that need critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management personnel and your Progent engineering consultant so any potential problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can eliminate as much as half of time wasted trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior machine learning technology to guard endpoints and physical and virtual servers against new malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus products. Progent ASM services protect local and cloud resources and offers a unified platform to automate the entire threat lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Call Desk managed services allow your IT staff to offload Call Center services to Progent or split responsibilities for Service Desk support transparently between your internal support resources and Progent's extensive pool of certified IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your internal support group. Client interaction with the Help Desk, delivery of support, issue escalation, ticket generation and updates, efficiency measurement, and maintenance of the support database are cohesive whether issues are taken care of by your internal support group, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of any size a flexible and affordable solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. In addition to optimizing the security and reliability of your computer network, Progent's patch management services permit your in-house IT team to focus on line-of-business initiatives and tasks that derive the highest business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo enables one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected application and enter your password you are asked to confirm your identity via a unit that only you possess and that is accessed using a separate network channel. A wide range of out-of-band devices can be used for this added form of authentication including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register several validation devices. To learn more about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time management reporting plug-ins created to integrate with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Addison 24-7 Crypto Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.