Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that presents an existential threat for organizations vulnerable to an assault. Versions of ransomware like the CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to cause damage. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with additional as yet unnamed newcomers, not only encrypt online data files but also infect any available system protection mechanisms. Files synched to the cloud can also be corrupted. In a vulnerable environment, it can render automated restoration impossible and effectively knocks the entire system back to zero.

Retrieving applications and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted organization tries its best to contain and remove the crypto-ransomware and to resume enterprise-critical operations. Since crypto-ransomware requires time to replicate, attacks are usually launched at night, when penetrations tend to take longer to discover. This compounds the difficulty of quickly assembling and coordinating an experienced response team.

Progent makes available a range of help services for protecting businesses from ransomware penetrations. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with AI capabilities from SentinelOne to discover and extinguish day-zero cyber threats quickly. Progent in addition can provide the assistance of veteran crypto-ransomware recovery professionals with the skills and commitment to rebuild a breached environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed keys to decipher any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the key parts of your Information Technology environment. Without the availability of full system backups, this requires a wide range of skills, well-coordinated team management, and the capability to work 24x7 until the recovery project is completed.

For two decades, Progent has provided certified expert IT services for businesses in Arlington and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise provides Progent the capability to rapidly understand necessary systems and consolidate the remaining components of your computer network system after a ransomware attack and assemble them into a functioning network.

Progent's ransomware team of experts deploys powerful project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of working swiftly and in unison with a customer�s management and IT team members to prioritize tasks and to put critical applications back online as soon as possible.

Case Study: A Successful Ransomware Virus Response
A small business contacted Progent after their company was penetrated by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state hackers, suspected of adopting technology exposed from the U.S. NSA organization. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most profitable incarnations of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago with around 500 employees. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's system backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I cannot thank you enough in regards to the expertise Progent provided us during the most stressful time of (our) company�s life. We would have paid the criminal gangs except for the confidence the Progent team afforded us. That you could get our e-mail system and production applications back on-line quicker than seven days was amazing. Every single consultant I interacted with or texted at Progent was laser focused on getting our system up and was working 24 by 7 on our behalf."

Progent worked together with the client to quickly understand and prioritize the mission critical areas that needed to be recovered to make it possible to resume departmental operations:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To begin, Progent adhered to Anti-virus penetration response best practices by halting the spread and cleaning systems of viruses. Progent then started the task of restoring Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's accounting and MRP software leveraged Microsoft SQL Server, which depends on Windows AD for security authorization to the data.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then helped perform setup and hard drive recovery on key applications. All Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find local OST files (Outlook Email Offline Folder Files) on various workstations in order to recover mail data. A recent offline backup of the client's accounting/MRP software made it possible to restore these vital programs back servicing users. Although major work was left to recover fully from the Ryuk damage, the most important services were restored quickly:


"For the most part, the production operation ran fairly normal throughout and we produced all customer sales."

During the next month important milestones in the recovery project were made in tight collaboration between Progent consultants and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Server containing more than four million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the user PCs were functioning as before the incident.

"So much of what was accomplished during the initial response is nearly entirely a haze for me, but our team will not soon forget the care all of your team accomplished to help get our business back. I�ve utilized Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A probable business-ending catastrophe was evaded by hard-working experts, a wide range of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware incident described here should have been shut down with advanced cyber security technology and recognized best practices, staff training, and appropriate incident response procedures for information protection and proper patching controls, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's team of professionals has substantial experience in ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for allowing me to get some sleep after we got over the first week. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Arlington a variety of online monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services utilize next-generation artificial intelligence capability to detect new strains of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and offers a unified platform to automate the entire threat progression including protection, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore software companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and allow non-disruptive backup and fast recovery of important files/folders, apps, images, plus VMs. ProSight DPS helps you avoid data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user mistakes, malicious employees, or application glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security companies to provide centralized control and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further level of inspection for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, monitor, optimize and debug their networking appliances such as routers, firewalls, and access points plus servers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that network maps are kept updated, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are discovered. By automating complex network management activities, WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding devices that require critical updates, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent consultant so that all potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to a different hosting environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save up to half of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youre planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis technology to defend endpoints as well as physical and virtual servers against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-based AV products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to manage the entire threat progression including blocking, detection, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Call Desk managed services allow your IT staff to outsource Help Desk services to Progent or divide activity for support services transparently between your internal network support group and Progent's nationwide pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless supplement to your internal IT support staff. End user interaction with the Service Desk, delivery of support services, problem escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether incidents are taken care of by your core network support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and activities that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo enables one-tap identity verification on iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected online account and give your password you are asked to confirm who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be used as this second form of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several verification devices. To find out more about Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services for access security.
For Arlington 24x7 Ransomware Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.