Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level danger for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and still cause harm. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus frequent as yet unnamed newcomers, not only do encryption of on-line information but also infiltrate all accessible system protection. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected system, it can render automatic restoration hopeless and basically sets the datacenter back to zero.

Retrieving services and data after a ransomware outage becomes a sprint against time as the victim fights to stop the spread, eradicate the crypto-ransomware, and restore enterprise-critical activity. Because crypto-ransomware needs time to replicate, assaults are often sprung at night, when successful penetrations may take more time to identify. This compounds the difficulty of quickly marshalling and organizing a knowledgeable response team.

Progent provides an assortment of support services for protecting businesses from crypto-ransomware penetrations. These include team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security appliances with artificial intelligence technology from SentinelOne to identify and disable new cyber attacks intelligently. Progent in addition offers the assistance of expert ransomware recovery consultants with the talent and perseverance to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware penetration, even paying the ransom in cryptocurrency does not ensure that criminal gangs will respond with the keys to unencrypt any or all of your data. Kaspersky ascertained that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to re-install the key elements of your IT environment. Without the availability of complete information backups, this requires a wide complement of skills, professional project management, and the ability to work non-stop until the recovery project is over.

For two decades, Progent has provided certified expert IT services for businesses throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise gives Progent the skills to knowledgably ascertain necessary systems and integrate the surviving parts of your computer network system after a ransomware event and rebuild them into an operational system.

Progent's ransomware team uses best of breed project management systems to coordinate the complex restoration process. Progent knows the urgency of working quickly and in unison with a customer's management and Information Technology staff to prioritize tasks and to get key services back on line as fast as possible.

Customer Story: A Successful Ransomware Attack Recovery
A business contacted Progent after their network was taken over by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored hackers, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is one of the most profitable instances of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk intrusion had frozen all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200,000) and wishfully thinking for the best, but ultimately utilized Progent.


"I can't thank you enough in regards to the support Progent provided us throughout the most fearful time of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent team gave us. The fact that you were able to get our messaging and important applications back on-line quicker than one week was something I thought impossible. Every single staff member I got help from or messaged at Progent was laser focused on getting us restored and was working all day and night to bail us out."

Progent worked with the client to quickly identify and assign priority to the key applications that needed to be addressed to make it possible to continue departmental functions:

  • Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent followed Anti-virus incident mitigation industry best practices by halting the spread and performing virus removal steps. Progent then started the steps of bringing back online Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the customer's financials and MRP software used SQL Server, which depends on Windows AD for authentication to the information.

Within 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then performed reinstallations and storage recovery of needed systems. All Exchange data and attributes were usable, which facilitated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Offline Folder Files) on staff workstations and laptops in order to recover mail information. A not too old off-line backup of the customer's manufacturing systems made it possible to recover these essential programs back on-line. Although a lot of work was left to recover totally from the Ryuk damage, core services were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we made all customer shipments."

Throughout the next couple of weeks important milestones in the restoration process were made through close collaboration between Progent team members and the customer:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server with over 4 million archived emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Most of the user desktops and notebooks were being used by staff.

"Much of what went on during the initial response is nearly entirely a haze for me, but I will not forget the commitment each and every one of your team accomplished to help get our company back. I've been working together with Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A possible business-ending catastrophe was avoided with hard-working experts, a wide array of knowledge, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here could have been disabled with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user training, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for making it so I could get some sleep after we made it through the most critical parts. All of you did an fabulous effort, and if anyone is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Arlington a variety of online monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services include next-generation machine learning capability to detect new strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to address the complete malware attack lifecycle including protection, identification, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's specific needs and that helps you demonstrate compliance with legal and industry data security regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also assist you to install and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup operations and enable non-disruptive backup and fast restoration of important files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to provide web-based management and comprehensive protection for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper layer of analysis for incoming email. For outgoing email, the local security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, track, optimize and debug their networking hardware such as switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when problems are discovered. By automating complex network management activities, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, locating devices that require critical software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your assigned Progent engineering consultant so all potential problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior machine learning technology to defend endpoints and physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. Progent ASM services protect local and cloud resources and offers a single platform to automate the complete threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Support Desk services enable your IT group to outsource Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your internal network support resources and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent extension of your corporate IT support resources. End user access to the Help Desk, provision of technical assistance, problem escalation, ticket creation and tracking, performance measurement, and maintenance of the service database are consistent regardless of whether incidents are resolved by your corporate network support organization, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking updates to your ever-evolving information network. In addition to optimizing the security and reliability of your IT network, Progent's software/firmware update management services allow your IT staff to concentrate on line-of-business projects and activities that deliver the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation on iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected online account and give your password you are requested to confirm who you are via a device that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized as this second means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may register multiple validation devices. To learn more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of in-depth reporting plug-ins designed to integrate with the industry's leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Arlington CryptoLocker Recovery Consultants, contact Progent at 800-462-8800 or go to Contact Progent.