Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for organizations poorly prepared for an assault. Versions of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus frequent as yet unnamed newcomers, not only do encryption of online critical data but also infect most available system restores and backups. Files synched to cloud environments can also be corrupted. In a vulnerable data protection solution, this can make automated restoration useless and basically knocks the datacenter back to square one.

Restoring services and data following a ransomware intrusion becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and cleanup the crypto-ransomware and to restore mission-critical operations. Since crypto-ransomware requires time to replicate, assaults are frequently sprung at night, when penetrations typically take longer to discover. This compounds the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.

Progent makes available a variety of solutions for protecting businesses from ransomware attacks. These include staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with AI capabilities from SentinelOne to discover and extinguish new cyber threats quickly. Progent also provides the assistance of veteran ransomware recovery consultants with the talent and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to unencrypt any of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of complete data backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work continuously until the job is done.

For decades, Progent has made available certified expert IT services for companies in Adelaide and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of experience gives Progent the skills to knowledgably identify necessary systems and consolidate the surviving parts of your IT environment following a ransomware event and assemble them into a functioning system.

Progent's ransomware team of experts deploys top notch project management applications to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and together with a client's management and IT resources to prioritize tasks and to put the most important services back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A client escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored criminal gangs, possibly using approaches exposed from America�s National Security Agency. Ryuk attacks specific companies with limited room for disruption and is one of the most profitable instances of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has around 500 workers. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's backups had been on-line at the start of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and hoping for the best, but ultimately engaged Progent.


"I cannot thank you enough in regards to the expertise Progent provided us throughout the most fearful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent team afforded us. That you could get our e-mail system and critical applications back into operation quicker than one week was amazing. Every single consultant I worked with or messaged at Progent was hell bent on getting our system up and was working all day and night on our behalf."

Progent worked together with the customer to quickly determine and assign priority to the critical areas that had to be restored in order to continue business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus incident mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then started the process of bringing back online Windows Active Directory, the core of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not operate without Active Directory, and the customer�s financials and MRP software utilized Microsoft SQL Server, which requires Active Directory for security authorization to the information.

In less than two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then completed setup and hard drive recovery of essential servers. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Off-Line Data Files) on team PCs and laptops in order to recover mail data. A recent offline backup of the businesses accounting software made it possible to return these essential programs back on-line. Although significant work remained to recover fully from the Ryuk damage, critical systems were restored quickly:


"For the most part, the manufacturing operation showed little impact and we made all customer shipments."

During the following few weeks important milestones in the recovery project were accomplished through tight cooperation between Progent consultants and the client:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory functions were fully restored.
  • A new Palo Alto 850 firewall was set up.
  • Most of the user workstations were back into operation.

"So much of what occurred those first few days is nearly entirely a haze for me, but my team will not soon forget the care each of your team accomplished to give us our business back. I�ve been working with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This time was the most impressive ever."

Conclusion
A potential business-ending catastrophe was dodged due to dedicated experts, a broad array of subject matter expertise, and close collaboration. Although in post mortem the crypto-ransomware virus attack described here would have been identified and blocked with modern security solutions and security best practices, staff training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for allowing me to get some sleep after we got through the initial push. Everyone did an incredible effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Adelaide a portfolio of remote monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect new strains of crypto-ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that addresses your organization's unique needs and that allows you prove compliance with government and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology companies to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and enable transparent backup and rapid restoration of important files/folders, applications, system images, and virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, malicious employees, or software glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security vendors to provide centralized management and comprehensive security for all your inbound and outbound email. The hybrid structure of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of analysis for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to map, track, enhance and troubleshoot their connectivity hardware like routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, locating devices that require important updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so all potential problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youre planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis tools to defend endpoints as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a unified platform to address the entire threat progression including protection, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Support Desk managed services allow your IT staff to outsource Support Desk services to Progent or divide activity for support services transparently between your in-house network support group and Progent's extensive pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your core IT support team. End user access to the Help Desk, delivery of technical assistance, problem escalation, ticket generation and tracking, efficiency metrics, and management of the service database are consistent regardless of whether issues are taken care of by your core IT support staff, by Progent's team, or both. Read more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. In addition to maximizing the protection and reliability of your IT environment, Progent's patch management services permit your IT team to concentrate on line-of-business initiatives and activities that derive maximum business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Android, and other personal devices. With Duo 2FA, when you log into a protected application and give your password you are asked to verify who you are via a unit that only you possess and that uses a different network channel. A broad range of out-of-band devices can be utilized as this added form of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. For more information about ProSight Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services for access security.
For 24-Hour Adelaide Crypto Cleanup Help, reach out to Progent at 800-462-8800 or go to Contact Progent.