Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a too-frequent cyber pandemic that poses an existential threat for organizations poorly prepared for an attack. Different versions of ransomware like the Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as frequent as yet unnamed newcomers, not only encrypt online data but also infiltrate many available system protection. Information synchronized to cloud environments can also be corrupted. In a vulnerable system, this can make automatic restoration useless and effectively sets the network back to square one.

Recovering applications and information after a ransomware intrusion becomes a race against the clock as the targeted organization struggles to stop the spread and eradicate the ransomware and to resume enterprise-critical operations. Since crypto-ransomware requires time to replicate, assaults are usually launched on weekends, when penetrations tend to take more time to notice. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.

Progent offers a range of services for securing enterprises from crypto-ransomware penetrations. Among these are user training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security gateways with AI technology from SentinelOne to detect and disable day-zero threats automatically. Progent in addition provides the assistance of veteran ransomware recovery consultants with the skills and perseverance to restore a compromised network as soon as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the codes to decipher any or all of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the key components of your Information Technology environment. Without access to full data backups, this calls for a broad complement of skill sets, top notch project management, and the willingness to work 24x7 until the task is finished.

For two decades, Progent has offered expert IT services for businesses in Arlington and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience affords Progent the ability to quickly ascertain critical systems and organize the surviving components of your computer network environment after a ransomware event and assemble them into an operational system.

Progent's ransomware team has top notch project management tools to coordinate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and together with a customer's management and Information Technology resources to assign priority to tasks and to put essential services back on-line as fast as possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A customer sought out Progent after their company was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been developed by North Korean state sponsored hackers, possibly adopting technology leaked from the United States NSA organization. Ryuk seeks specific organizations with little ability to sustain operational disruption and is one of the most lucrative versions of ransomware malware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago with around 500 workers. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end engaged Progent.


"I can't speak enough about the support Progent gave us throughout the most critical time of (our) company's survival. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent experts provided us. That you could get our messaging and production servers back into operation sooner than 1 week was earth shattering. Each expert I talked with or communicated with at Progent was urgently focused on getting us operational and was working at all hours on our behalf."

Progent worked with the client to rapidly get our arms around and assign priority to the most important areas that needed to be recovered in order to resume departmental functions:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus event mitigation best practices by stopping the spread and removing active viruses. Progent then began the process of restoring Microsoft AD, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not work without AD, and the businesses' MRP system utilized Microsoft SQL Server, which depends on Windows AD for authentication to the information.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery of key systems. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Email Offline Data Files) on staff desktop computers in order to recover mail data. A not too old offline backup of the client's accounting/ERP systems made them able to restore these essential programs back available to users. Although major work remained to recover completely from the Ryuk virus, essential services were recovered quickly:


"For the most part, the production line operation was never shut down and we produced all customer sales."

Over the next few weeks important milestones in the restoration project were completed in close collaboration between Progent engineers and the customer:

  • Internal web applications were restored without losing any data.
  • The MailStore Exchange Server with over 4 million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control functions were 100% recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • 90% of the desktop computers were functioning as before the incident.

"Much of what happened that first week is mostly a haze for me, but my management will not soon forget the urgency each of your team accomplished to help get our company back. I have been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A possible business-ending disaster was avoided through the efforts of hard-working professionals, a broad range of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware incident described here should have been identified and stopped with advanced cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), thank you for allowing me to get some sleep after we got through the first week. Everyone did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Arlington a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence capability to uncover new strains of crypto-ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to manage the entire threat progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's unique requirements and that allows you demonstrate compliance with legal and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent's consultants can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and allow transparent backup and fast recovery of vital files, applications, system images, plus VMs. ProSight DPS lets your business recover from data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, human error, malicious employees, or software bugs. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to provide centralized management and world-class security for all your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map out, monitor, enhance and debug their networking appliances like routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, finding appliances that need important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your assigned Progent consultant so any potential issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hosting solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your network documentation, you can save up to half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis technology to defend endpoints as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-matching AV products. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to automate the complete malware attack progression including blocking, detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Call Center managed services allow your IT group to offload Help Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house network support resources and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent extension of your corporate IT support staff. End user interaction with the Help Desk, provision of support services, escalation, ticket generation and tracking, efficiency measurement, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your in-house support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic IT network. Besides optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic projects and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a protected application and enter your password you are requested to confirm who you are via a device that only you possess and that is accessed using a separate network channel. A wide range of out-of-band devices can be used as this second means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can designate several validation devices. For more information about ProSight Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Arlington 24/7 CryptoLocker Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.