Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that poses an existential threat for businesses vulnerable to an assault. Different versions of ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus daily unnamed newcomers, not only encrypt online data files but also infiltrate all available system backup. Files synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, this can render automated recovery useless and effectively sets the network back to zero.

Retrieving services and information following a crypto-ransomware attack becomes a sprint against the clock as the targeted organization fights to stop the spread and cleanup the crypto-ransomware and to restore enterprise-critical activity. Because ransomware requires time to spread, assaults are usually launched during weekends and nights, when attacks may take longer to discover. This compounds the difficulty of quickly marshalling and coordinating a qualified response team.

Progent provides a variety of support services for securing enterprises from crypto-ransomware events. Among these are team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with machine learning technology from SentinelOne to discover and suppress day-zero cyber threats intelligently. Progent also can provide the services of experienced ransomware recovery engineers with the track record and perseverance to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Restoration Help
Following a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the needed codes to decrypt any of your files. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to piece back together the mission-critical parts of your Information Technology environment. Absent the availability of essential information backups, this requires a broad complement of skills, professional project management, and the willingness to work continuously until the task is finished.

For two decades, Progent has provided professional IT services for companies in Akron and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise provides Progent the skills to efficiently ascertain necessary systems and re-organize the remaining parts of your computer network system following a ransomware penetration and configure them into a functioning system.

Progent's security group has state-of-the-art project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working swiftly and together with a customer's management and Information Technology resources to prioritize tasks and to put essential services back online as soon as possible.

Case Study: A Successful Ransomware Attack Restoration
A customer hired Progent after their network system was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state hackers, possibly using algorithms leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with limited tolerance for disruption and is one of the most lucrative incarnations of ransomware malware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of $200K) and hoping for good luck, but in the end reached out to Progent.


"I cannot speak enough about the expertise Progent gave us during the most fearful time of (our) businesses survival. We most likely would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent experts gave us. That you could get our e-mail and essential applications back online faster than 1 week was beyond my wildest dreams. Each expert I interacted with or e-mailed at Progent was laser focused on getting our company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to quickly get our arms around and prioritize the mission critical systems that had to be addressed to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Exchange Server
  • Financials/MRP
To get going, Progent followed ransomware event mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the task of rebuilding Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not operate without Active Directory, and the businesses' financials and MRP software leveraged SQL Server, which requires Active Directory services for access to the database.

Within 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and hard drive recovery of critical servers. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Offline Data Files) on user PCs in order to recover mail data. A not too old off-line backup of the businesses accounting/MRP software made it possible to recover these required programs back online for users. Although a lot of work still had to be done to recover fully from the Ryuk event, critical services were recovered quickly:


"For the most part, the production line operation ran fairly normal throughout and we produced all customer shipments."

During the following couple of weeks critical milestones in the recovery process were completed in close cooperation between Progent engineers and the client:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Server exceeding 4 million archived emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory Control functions were fully operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the desktop computers were back into operation.

"So much of what occurred that first week is nearly entirely a blur for me, but I will not soon forget the dedication all of you put in to help get our company back. I've utilized Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a stunning achievement."

Conclusion
A probable enterprise-killing disaster was averted by top-tier experts, a broad spectrum of knowledge, and tight collaboration. Although in hindsight the ransomware penetration detailed here should have been shut down with current security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for information protection and proper patching controls, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), I'm grateful for making it so I could get rested after we made it through the first week. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Akron a variety of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation AI capability to detect zero-day variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete threat progression including protection, identification, mitigation, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge tools incorporated within one agent managed from a single console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that meets your company's specific requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent can also assist your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and allow non-disruptive backup and fast restoration of critical files/folders, applications, images, and VMs. ProSight DPS helps your business protect against data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to provide centralized management and comprehensive protection for all your email traffic. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further layer of inspection for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, track, optimize and troubleshoot their networking appliances like routers, firewalls, and load balancers as well as servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, copies and manages the configuration of almost all devices on your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management activities, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, locating devices that need important software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so all looming issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hosting environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate up to 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis tools to guard endpoints and servers and VMs against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to address the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Call Desk managed services allow your information technology group to outsource Support Desk services to Progent or divide activity for Help Desk services transparently between your in-house support team and Progent's nationwide pool of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless supplement to your core network support group. User access to the Service Desk, delivery of support services, escalation, trouble ticket creation and updates, performance metrics, and management of the support database are consistent regardless of whether incidents are resolved by your internal network support group, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of all sizes a versatile and affordable alternative for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving IT network. In addition to optimizing the protection and reliability of your computer network, Progent's patch management services free up time for your in-house IT staff to focus on more strategic initiatives and tasks that derive the highest business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you sign into a protected online account and give your password you are asked to verify who you are on a device that only you have and that uses a different ("out-of-band") network channel. A wide range of devices can be used as this second form of ID validation including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For details about ProSight Duo identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth management reporting tools created to work with the industry's leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Akron Crypto Recovery Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.