Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict destruction. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional unnamed viruses, not only encrypt on-line data but also infiltrate many available system restores and backups. Information synchronized to the cloud can also be rendered useless. In a poorly architected data protection solution, it can make automated restoration impossible and basically sets the datacenter back to square one.

Retrieving services and information after a ransomware intrusion becomes a sprint against the clock as the victim struggles to contain and cleanup the crypto-ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to replicate, attacks are usually launched on weekends, when successful penetrations tend to take more time to uncover. This compounds the difficulty of rapidly marshalling and coordinating a capable mitigation team.

Progent has a range of solutions for protecting businesses from crypto-ransomware penetrations. Among these are team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security appliances with machine learning capabilities from SentinelOne to detect and suppress zero-day cyber attacks intelligently. Progent in addition can provide the assistance of expert ransomware recovery professionals with the talent and commitment to reconstruct a breached system as rapidly as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will return the codes to decrypt any or all of your files. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the vital components of your Information Technology environment. Without the availability of complete data backups, this calls for a wide range of skill sets, top notch project management, and the capability to work 24x7 until the job is over.

For decades, Progent has offered expert IT services for companies in Albany and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of expertise affords Progent the capability to knowledgably ascertain critical systems and organize the surviving components of your Information Technology environment after a crypto-ransomware penetration and configure them into an operational system.

Progent's ransomware team deploys powerful project management applications to coordinate the complicated recovery process. Progent knows the urgency of acting quickly and in unison with a customerÔŅĹs management and IT staff to prioritize tasks and to put essential services back online as fast as possible.

Customer Story: A Successful Ransomware Incident Response
A client engaged Progent after their network was attacked by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, suspected of using techniques exposed from the United States NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is one of the most profitable instances of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but in the end utilized Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most stressful period of (our) businesses existence. We most likely would have paid the cybercriminals if not for the confidence the Progent group afforded us. The fact that you could get our messaging and critical servers back into operation sooner than a week was amazing. Each person I interacted with or e-mailed at Progent was amazingly focused on getting us working again and was working at all hours on our behalf."

Progent worked with the client to quickly understand and prioritize the essential elements that needed to be restored in order to restart departmental operations:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To get going, Progent followed Anti-virus incident response industry best practices by stopping lateral movement and performing virus removal steps. Progent then began the process of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Exchange email will not function without Active Directory, and the client's MRP software used Microsoft SQL Server, which depends on Active Directory services for access to the database.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then assisted with setup and hard drive recovery of essential applications. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Folder Files) on team PCs in order to recover email data. A recent off-line backup of the client's manufacturing software made it possible to recover these required services back online for users. Although major work needed to be completed to recover fully from the Ryuk attack, core systems were restored quickly:


"For the most part, the assembly line operation was never shut down and we delivered all customer deliverables."

During the following few weeks important milestones in the recovery project were made in close cooperation between Progent engineers and the customer:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was installed.
  • Most of the user PCs were fully operational.

"So much of what happened that first week is mostly a fog for me, but my team will not forget the care each and every one of your team accomplished to help get our business back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was a life saver."

Conclusion
A possible business-killing catastrophe was evaded through the efforts of top-tier professionals, a broad array of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus penetration described here would have been identified and prevented with up-to-date security technology and NIST Cybersecurity Framework best practices, user training, and properly executed incident response procedures for data protection and proper patching controls, the reality is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we got over the initial fire. Everyone did an impressive effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Albany a variety of remote monitoring and security evaluation services to help you to reduce the threat from crypto-ransomware. These services include modern artificial intelligence capability to uncover zero-day strains of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to manage the complete malware attack progression including blocking, identification, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge technologies packaged within one agent managed from a single console. Progent's security and virtualization experts can help you to design and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you prove compliance with legal and industry information security regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also assist you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup operations and enable non-disruptive backup and rapid restoration of important files, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to deliver web-based control and comprehensive security for your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a further level of analysis for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progentís ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when issues are discovered. By automating time-consuming network management processes, WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, locating appliances that need critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by tracking the state of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so that any looming problems can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate up to half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based analysis tools to defend endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to manage the complete threat lifecycle including blocking, identification, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Support Desk managed services permit your IT staff to outsource Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your internal support group and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth supplement to your core support organization. End user access to the Service Desk, delivery of technical assistance, escalation, ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive whether issues are resolved by your in-house network support resources, by Progent, or both. Find out more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of all sizes a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving information system. In addition to optimizing the protection and reliability of your IT network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business projects and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. With 2FA, when you log into a protected online account and enter your password you are asked to verify your identity via a device that only you have and that uses a separate network channel. A wide selection of out-of-band devices can be used for this second form of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can register several validation devices. For details about ProSight Duo identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24x7 Albany Crypto-Ransomware Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.