Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an existential threat for organizations unprepared for an assault. Versions of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and still cause damage. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more as yet unnamed viruses, not only do encryption of online data files but also infect many available system backup. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, it can render automated recovery hopeless and basically sets the datacenter back to zero.

Getting back online applications and information following a crypto-ransomware event becomes a sprint against the clock as the targeted business fights to contain and cleanup the ransomware and to restore enterprise-critical activity. Because ransomware needs time to move laterally, assaults are frequently sprung during nights and weekends, when attacks typically take longer to discover. This compounds the difficulty of rapidly mobilizing and coordinating a capable response team.

Progent offers a range of help services for protecting businesses from ransomware attacks. Among these are user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to detect and extinguish new cyber attacks intelligently. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a breached network as soon as possible.

Progent's Ransomware Recovery Support Services
Following a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the codes to unencrypt any of your data. Kaspersky determined that 17% of crypto-ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the key elements of your Information Technology environment. Absent the availability of complete data backups, this requires a broad complement of IT skills, professional team management, and the ability to work non-stop until the task is complete.

For two decades, Progent has made available expert Information Technology services for companies in Anchorage and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience affords Progent the capability to efficiently identify necessary systems and integrate the surviving components of your computer network system after a crypto-ransomware attack and configure them into an operational network.

Progent's security group deploys state-of-the-art project management systems to orchestrate the complex restoration process. Progent appreciates the importance of acting swiftly and in unison with a customer's management and IT team members to assign priority to tasks and to put critical systems back online as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Response
A small business contacted Progent after their network system was crashed by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean government sponsored cybercriminals, suspected of using technology leaked from the United States National Security Agency. Ryuk goes after specific companies with little tolerance for operational disruption and is among the most profitable versions of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with around 500 staff members. The Ryuk penetration had disabled all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and hoping for good luck, but in the end made the decision to use Progent.


"I cannot tell you enough about the expertise Progent provided us throughout the most fearful period of (our) company's life. We had little choice but to pay the Hackers except for the confidence the Progent group gave us. That you could get our messaging and production applications back online faster than five days was something I thought impossible. Every single consultant I worked with or messaged at Progent was absolutely committed on getting us back on-line and was working 24/7 to bail us out."

Progent worked together with the customer to quickly determine and prioritize the essential elements that needed to be restored in order to resume company functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then began the process of restoring Microsoft AD, the key technology of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not operate without Windows AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which requires Active Directory for access to the data.

Within two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery on key servers. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to locate local OST files (Outlook Off-Line Folder Files) on team PCs and laptops to recover mail information. A not too old off-line backup of the client's financials/MRP systems made it possible to restore these essential programs back servicing users. Although major work was left to recover fully from the Ryuk event, core services were restored quickly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer orders."

Throughout the next month critical milestones in the recovery project were achieved through close cooperation between Progent engineers and the client:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Server containing more than four million archived emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100% functional.
  • A new Palo Alto 850 firewall was installed.
  • Most of the user PCs were operational.

"So much of what was accomplished that first week is nearly entirely a haze for me, but my management will not soon forget the care each and every one of you put in to give us our company back. I've been working together with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was no exception but maybe more Herculean."

Conclusion
A likely business catastrophe was averted through the efforts of hard-working experts, a broad spectrum of subject matter expertise, and close teamwork. Although in post mortem the ransomware attack detailed here could have been identified and prevented with up-to-date security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and properly executed incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for allowing me to get rested after we made it past the first week. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Anchorage a range of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect zero-day variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based AV products. ProSight ASM protects local and cloud resources and provides a unified platform to manage the complete malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's unique requirements and that allows you demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services, a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup processes and enable non-disruptive backup and rapid recovery of critical files, applications, images, and virtual machines. ProSight DPS helps your business protect against data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based management and world-class security for all your email traffic. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of analysis for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, monitor, reconfigure and debug their networking hardware such as routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always current, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating time-consuming network management processes, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating devices that require important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT staff and your Progent consultant so that any potential problems can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can save as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior machine learning technology to defend endpoint devices as well as servers and VMs against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and offers a single platform to address the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Call Center services permit your information technology group to outsource Support Desk services to Progent or split responsibilities for support services seamlessly between your internal network support group and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your internal IT support team. User interaction with the Service Desk, provision of support, problem escalation, ticket generation and updates, performance metrics, and management of the support database are cohesive regardless of whether incidents are resolved by your internal IT support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a flexible and affordable solution for assessing, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on more strategic initiatives and tasks that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity verification with Apple iOS, Google Android, and other personal devices. With Duo 2FA, when you sign into a secured application and give your password you are asked to confirm who you are on a device that only you have and that uses a different network channel. A wide selection of out-of-band devices can be used for this added means of authentication including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For details about ProSight Duo two-factor identity validation services, visit Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time and in-depth management reporting plug-ins created to work with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Anchorage 24x7 Crypto Recovery Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.