Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that presents an existential danger for organizations vulnerable to an attack. Different versions of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause harm. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus more as yet unnamed newcomers, not only encrypt on-line files but also infiltrate many configured system backup. Files synchronized to the cloud can also be corrupted. In a poorly architected system, it can render any recovery impossible and effectively knocks the network back to zero.

Getting back on-line services and data following a ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and cleanup the virus and to restore enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are frequently sprung on weekends and holidays, when successful attacks may take more time to discover. This multiplies the difficulty of quickly assembling and orchestrating a capable mitigation team.

Progent has a variety of services for protecting businesses from ransomware penetrations. These include team education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security appliances with machine learning technology from SentinelOne to identify and disable zero-day threats quickly. Progent also provides the assistance of experienced ransomware recovery professionals with the track record and perseverance to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the keys to decipher any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the key parts of your IT environment. Absent the availability of essential data backups, this calls for a wide complement of skills, top notch project management, and the capability to work continuously until the job is over.

For twenty years, Progent has provided expert IT services for companies in Addison and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the capability to knowledgably ascertain critical systems and organize the remaining components of your Information Technology environment following a crypto-ransomware event and assemble them into an operational system.

Progent's recovery group utilizes best of breed project management applications to orchestrate the sophisticated recovery process. Progent understands the importance of acting quickly and in concert with a customer's management and Information Technology staff to prioritize tasks and to get essential systems back on-line as soon as possible.

Business Case Study: A Successful Ransomware Incident Recovery
A customer contacted Progent after their network system was brought down by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored criminal gangs, possibly using technology leaked from the United States National Security Agency. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is among the most profitable versions of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area with about 500 workers. The Ryuk attack had disabled all essential operations and manufacturing capabilities. The majority of the client's system backups had been online at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than $200,000) and praying for good luck, but in the end utilized Progent.


"I can't speak enough about the help Progent gave us during the most stressful time of (our) company's life. We had little choice but to pay the cyber criminals except for the confidence the Progent experts provided us. The fact that you could get our e-mail system and critical applications back on-line quicker than one week was amazing. Each person I interacted with or messaged at Progent was totally committed on getting our company operational and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly get our arms around and assign priority to the essential applications that needed to be restored in order to continue departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes event response industry best practices by halting the spread and clearing infected systems. Progent then initiated the task of restoring Microsoft Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the customer's MRP software utilized Microsoft SQL, which needs Active Directory for access to the information.

Within two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then completed reinstallations and storage recovery of key servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to find intact OST data files (Outlook Email Offline Data Files) on staff workstations and laptops to recover email information. A recent off-line backup of the client's financials/ERP software made it possible to return these required programs back online. Although a lot of work still had to be done to recover fully from the Ryuk event, critical services were restored rapidly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer deliverables."

Over the next month critical milestones in the recovery project were completed through close collaboration between Progent consultants and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Exchange Server with over four million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully operational.
  • A new Palo Alto 850 firewall was brought online.
  • 90% of the desktop computers were back into operation.

"A huge amount of what was accomplished those first few days is nearly entirely a fog for me, but I will not soon forget the urgency each of your team put in to give us our business back. I have been working together with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable company-ending disaster was avoided through the efforts of results-oriented professionals, a wide range of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware incident detailed here would have been identified and blocked with modern cyber security solutions and recognized best practices, user and IT administrator education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get rested after we made it past the initial push. Everyone did an impressive effort, and if any of your team is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Addison a range of online monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services include next-generation AI technology to uncover new strains of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and offers a unified platform to address the complete threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software providers to produce ProSight Data Protection Services, a selection of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your backup processes and enable non-disruptive backup and rapid restoration of vital files/folders, apps, images, plus VMs. ProSight DPS helps your business avoid data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, user error, malicious employees, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security vendors to provide centralized management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when problems are detected. By automating complex management processes, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding devices that need important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your Progent engineering consultant so that any looming issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based analysis technology to defend endpoints as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. Progent ASM services protect local and cloud-based resources and offers a single platform to manage the complete malware attack progression including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Help Desk managed services permit your information technology team to offload Help Desk services to Progent or split responsibilities for Service Desk support transparently between your internal network support team and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless extension of your internal network support resources. End user interaction with the Service Desk, delivery of support, escalation, trouble ticket generation and tracking, efficiency measurement, and maintenance of the service database are cohesive regardless of whether issues are resolved by your core network support resources, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and documenting updates to your dynamic information network. Besides optimizing the security and reliability of your computer environment, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic projects and activities that derive the highest business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a protected online account and give your password you are asked to verify your identity on a device that only you possess and that is accessed using a separate network channel. A broad range of out-of-band devices can be utilized for this second means of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You can register multiple verification devices. To find out more about ProSight Duo identity validation services, go to Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time and in-depth management reporting tools designed to integrate with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Addison 24-Hour Crypto-Ransomware Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.