Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and still inflict havoc. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with daily unnamed viruses, not only encrypt on-line data files but also infiltrate most configured system backups. Data synchronized to cloud environments can also be ransomed. In a poorly architected data protection solution, it can make automated restoration impossible and effectively knocks the datacenter back to square one.

Getting back on-line applications and information following a ransomware intrusion becomes a race against the clock as the targeted business fights to contain the damage and remove the crypto-ransomware and to resume business-critical operations. Since ransomware requires time to replicate, attacks are frequently sprung during weekends and nights, when attacks are likely to take more time to recognize. This compounds the difficulty of rapidly marshalling and orchestrating an experienced mitigation team.

Progent offers a range of help services for protecting organizations from ransomware attacks. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security solutions with AI capabilities from SentinelOne to detect and disable zero-day cyber attacks rapidly. Progent also offers the services of experienced ransomware recovery consultants with the track record and perseverance to restore a breached system as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the keys to decipher any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the mission-critical parts of your Information Technology environment. Without access to essential data backups, this calls for a broad complement of IT skills, well-coordinated team management, and the capability to work 24x7 until the job is finished.

For decades, Progent has offered certified expert Information Technology services for businesses in Albany and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in key technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of experience affords Progent the ability to efficiently understand critical systems and organize the surviving components of your Information Technology system after a ransomware event and assemble them into a functioning network.

Progent's ransomware team uses powerful project management applications to coordinate the complex restoration process. Progent appreciates the importance of working quickly and in concert with a client's management and IT staff to prioritize tasks and to get critical services back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Recovery
A client sought out Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, suspected of adopting techniques exposed from the United States NSA organization. Ryuk targets specific businesses with little room for operational disruption and is among the most lucrative examples of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago with around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the start of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and praying for good luck, but in the end called Progent.


"I can't speak enough in regards to the expertise Progent gave us throughout the most stressful time of (our) company's survival. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent team afforded us. The fact that you could get our e-mail and essential servers back online sooner than seven days was amazing. Every single person I talked with or communicated with at Progent was urgently focused on getting our system up and was working non-stop to bail us out."

Progent worked with the client to rapidly assess and prioritize the essential areas that needed to be addressed to make it possible to continue company functions:

  • Windows Active Directory
  • Email
  • Financials/MRP
To start, Progent followed ransomware event response industry best practices by stopping the spread and clearing up compromised systems. Progent then started the steps of recovering Microsoft AD, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without AD, and the customer's accounting and MRP software used Microsoft SQL Server, which requires Active Directory for security authorization to the information.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated setup and storage recovery on essential servers. All Exchange data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Email Off-Line Data Files) on various desktop computers in order to recover mail messages. A recent off-line backup of the businesses accounting/ERP software made it possible to recover these vital programs back available to users. Although a lot of work remained to recover totally from the Ryuk event, critical services were restored quickly:


"For the most part, the production operation did not miss a beat and we produced all customer shipments."

Over the following month critical milestones in the restoration process were accomplished through close collaboration between Progent team members and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Server with over 4 million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • 90% of the desktop computers were back into operation.

"A lot of what was accomplished in the early hours is nearly entirely a fog for me, but we will not forget the care each of the team put in to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A potential business extinction catastrophe was evaded due to hard-working professionals, a broad array of knowledge, and close teamwork. Although in post mortem the ransomware incident detailed here would have been stopped with advanced cyber security systems and ISO/IEC 27001 best practices, team education, and well thought out security procedures for information backup and proper patching controls, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for allowing me to get some sleep after we made it through the first week. Everyone did an fabulous effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Albany a portfolio of online monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services incorporate modern AI technology to uncover zero-day variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to address the entire threat lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge technologies packaged within one agent accessible from a single control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with legal and industry data protection standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent's consultants can also assist your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and enable transparent backup and fast recovery of vital files, applications, system images, and VMs. ProSight DPS helps you recover from data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, user mistakes, malicious employees, or software glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver web-based management and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps most threats from making it to your network firewall. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway device provides a further layer of analysis for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that network maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, finding appliances that need critical software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system operating at peak levels by tracking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT management staff and your Progent engineering consultant so that any potential issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-based anti-virus tools. Progent ASM services protect local and cloud resources and offers a unified platform to automate the complete malware attack lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Support Center services permit your IT group to outsource Help Desk services to Progent or split responsibilities for Service Desk support transparently between your internal support resources and Progent's nationwide roster of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless supplement to your internal IT support group. Client access to the Service Desk, delivery of support, problem escalation, ticket creation and updates, efficiency metrics, and management of the support database are cohesive regardless of whether incidents are taken care of by your in-house support resources, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of any size a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT network. In addition to optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services permit your in-house IT team to focus on line-of-business projects and activities that derive the highest business value from your information network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected online account and give your password you are asked to confirm your identity on a device that only you possess and that is accessed using a separate network channel. A broad range of devices can be used for this added form of ID validation including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can register several validation devices. To learn more about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time reporting tools created to integrate with the industry's top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Albany 24x7x365 Crypto Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.