Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that presents an extinction-level danger for organizations unprepared for an attack. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict harm. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with additional as yet unnamed newcomers, not only do encryption of on-line data files but also infiltrate many available system backups. Files synched to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, it can make automatic recovery useless and basically knocks the entire system back to square one.

Recovering services and information following a ransomware event becomes a race against the clock as the targeted organization struggles to stop lateral movement and remove the ransomware and to resume business-critical operations. Because ransomware takes time to replicate, attacks are frequently launched at night, when successful attacks typically take more time to recognize. This compounds the difficulty of promptly mobilizing and orchestrating a knowledgeable mitigation team.

Progent provides a variety of services for protecting businesses from crypto-ransomware attacks. These include team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to identify and quarantine zero-day threats intelligently. Progent also can provide the assistance of experienced crypto-ransomware recovery professionals with the talent and perseverance to re-deploy a compromised network as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to unencrypt any of your data. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the key elements of your IT environment. Without the availability of essential system backups, this requires a wide complement of IT skills, top notch project management, and the willingness to work continuously until the recovery project is complete.

For two decades, Progent has provided expert Information Technology services for businesses in Atlanta and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have earned high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise affords Progent the skills to rapidly identify important systems and re-organize the remaining parts of your Information Technology system following a ransomware penetration and rebuild them into a functioning system.

Progent's security team utilizes state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent knows the importance of working rapidly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to get critical services back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A business engaged Progent after their organization was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, possibly adopting algorithms exposed from the United States NSA organization. Ryuk attacks specific organizations with little room for operational disruption and is among the most profitable iterations of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in Chicago and has around 500 employees. The Ryuk attack had shut down all company operations and manufacturing processes. The majority of the client's data backups had been online at the start of the intrusion and were damaged. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end called Progent.


"I can't thank you enough in regards to the help Progent provided us throughout the most stressful period of (our) company's survival. We would have paid the cyber criminals if not for the confidence the Progent experts provided us. The fact that you were able to get our messaging and key servers back into operation sooner than five days was amazing. Every single expert I interacted with or communicated with at Progent was urgently focused on getting our system up and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to quickly understand and assign priority to the key elements that had to be recovered to make it possible to restart business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by stopping the spread and clearing up compromised systems. Progent then began the process of rebuilding Active Directory, the core of enterprise networks built on Microsoft Windows Server technology. Exchange email will not function without AD, and the businesses' financials and MRP applications used Microsoft SQL Server, which needs Windows AD for access to the database.

In less than two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery of key servers. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST data files (Outlook Email Offline Folder Files) on various desktop computers in order to recover email data. A not too old offline backup of the client's accounting/ERP systems made it possible to return these vital services back on-line. Although significant work needed to be completed to recover completely from the Ryuk attack, critical systems were recovered quickly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer shipments."

During the following few weeks key milestones in the recovery process were made through tight collaboration between Progent engineers and the client:

  • In-house web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory functions were completely restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Most of the user desktops were being used by staff.

"A huge amount of what went on during the initial response is nearly entirely a blur for me, but my team will not soon forget the countless hours all of your team accomplished to help get our business back. I've been working together with Progent for at least 10 years, possibly more, and every time Progent has come through and delivered. This event was a testament to your capabilities."

Conclusion
A likely business-killing catastrophe was dodged with top-tier professionals, a broad spectrum of knowledge, and tight teamwork. Although in hindsight the ransomware incident described here could have been stopped with modern security solutions and security best practices, team education, and well designed security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thanks very much for letting me get rested after we got through the initial fire. All of you did an fabulous job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Atlanta a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence technology to uncover new variants of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to manage the complete malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent accessible from a single control. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that allows you demonstrate compliance with legal and industry data security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent can also help your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup operations and allow non-disruptive backup and fast recovery of important files, applications, images, plus virtual machines. ProSight DPS helps you recover from data loss caused by equipment failures, natural disasters, fire, cyber attacks like ransomware, user error, malicious employees, or application bugs. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to provide web-based control and comprehensive security for all your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, track, enhance and debug their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by checking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your Progent engineering consultant so that any looming problems can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to guard endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to address the complete malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Key features include one-click rollback using Windows VSS and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Help Desk services allow your information technology group to outsource Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your internal network support resources and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth extension of your internal IT support organization. User access to the Service Desk, provision of technical assistance, escalation, trouble ticket generation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your core IT support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of any size a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic information system. Besides maximizing the security and reliability of your computer network, Progent's software/firmware update management services free up time for your IT staff to concentrate on line-of-business projects and activities that deliver the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and give your password you are requested to confirm your identity via a device that only you have and that is accessed using a separate network channel. A broad range of devices can be utilized for this added form of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For more information about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of in-depth reporting utilities designed to work with the leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Atlanta 24x7 CryptoLocker Recovery Help, contact Progent at 800-462-8800 or go to Contact Progent.