Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an enterprise-level danger for organizations poorly prepared for an assault. Different versions of ransomware like the Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and continue to inflict havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as additional as yet unnamed newcomers, not only do encryption of online data but also infiltrate any available system restores and backups. Files replicated to cloud environments can also be corrupted. In a poorly architected system, this can make automatic restore operations useless and effectively sets the network back to square one.

Recovering services and information after a ransomware event becomes a race against time as the victim tries its best to stop lateral movement, eradicate the crypto-ransomware, and resume business-critical activity. Since ransomware takes time to replicate, attacks are frequently sprung at night, when successful attacks may take more time to uncover. This compounds the difficulty of rapidly marshalling and coordinating a knowledgeable mitigation team.

Progent has a range of support services for protecting businesses from ransomware penetrations. Among these are user education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with machine learning technology from SentinelOne to identify and disable day-zero threats automatically. Progent in addition offers the assistance of expert ransomware recovery consultants with the track record and commitment to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware event, paying the ransom in cryptocurrency does not guarantee that merciless criminals will respond with the codes to decipher all your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom can reach millions. The other path is to re-install the key components of your Information Technology environment. Without the availability of essential system backups, this requires a broad range of skill sets, well-coordinated project management, and the ability to work 24x7 until the recovery project is over.

For twenty years, Progent has provided certified expert IT services for companies across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience affords Progent the capability to knowledgably identify critical systems and integrate the remaining parts of your IT system following a crypto-ransomware attack and assemble them into an operational network.

Progent's security group uses state-of-the-art project management applications to orchestrate the sophisticated restoration process. Progent knows the urgency of acting quickly and together with a customer's management and Information Technology staff to assign priority to tasks and to get critical services back on-line as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A client engaged Progent after their organization was crashed by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored hackers, suspected of using algorithms leaked from the U.S. NSA organization. Ryuk seeks specific companies with limited room for disruption and is among the most lucrative examples of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with around 500 staff members. The Ryuk event had shut down all company operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (in excess of $200K) and praying for good luck, but in the end brought in Progent.


"I can't thank you enough about the support Progent gave us throughout the most fearful time of (our) company's survival. We may have had to pay the criminal gangs if not for the confidence the Progent experts gave us. That you were able to get our e-mail and critical applications back on-line sooner than a week was amazing. Every single person I talked with or communicated with at Progent was laser focused on getting us working again and was working breakneck pace to bail us out."

Progent worked with the client to quickly get our arms around and prioritize the mission critical areas that had to be recovered to make it possible to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and clearing infected systems. Progent then started the work of recovering Active Directory, the foundation of enterprise networks built on Microsoft technology. Exchange messaging will not work without Windows AD, and the customer's MRP system used Microsoft SQL, which depends on Active Directory services for authentication to the data.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then helped perform reinstallations and storage recovery on mission critical servers. All Microsoft Exchange Server data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops to recover mail messages. A not too old offline backup of the businesses accounting/ERP software made them able to recover these essential services back servicing users. Although significant work needed to be completed to recover totally from the Ryuk attack, critical services were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we produced all customer deliverables."

During the next month important milestones in the restoration process were accomplished in close cooperation between Progent team members and the client:

  • Internal web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely recovered.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the user desktops and notebooks were back into operation.

"Much of what happened that first week is mostly a fog for me, but I will not soon forget the urgency each and every one of your team put in to give us our business back. I have utilized Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A likely enterprise-killing disaster was avoided through the efforts of hard-working professionals, a broad spectrum of knowledge, and close teamwork. Although in hindsight the crypto-ransomware virus incident described here would have been shut down with advanced security systems and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for letting me get rested after we made it through the most critical parts. Everyone did an fabulous job, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Baltimore a variety of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation AI capability to uncover new variants of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT personnel and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven solution for monitoring and managing your network, server, and desktop devices by providing tools for streamlining common tedious tasks. These include health monitoring, update management, automated repairs, endpoint deployment, backup and recovery, A/V response, secure remote access, built-in and custom scripts, resource inventory, endpoint profile reporting, and troubleshooting help. If ProSight LAN Watch with NinjaOne RMM spots a serious incident, it transmits an alarm to your designated IT personnel and your Progent technical consultant so potential problems can be fixed before they impact your network. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration information of almost all devices on your network, monitors performance, and generates alerts when problems are detected. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, locating devices that require important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time and in-depth reporting plug-ins designed to integrate with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like inconsistent support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore software companies to create ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and enable transparent backup and fast recovery of vital files, apps, images, plus virtual machines. ProSight DPS lets your business protect against data loss caused by equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed backup services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security companies to provide web-based management and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected online account and give your password you are asked to confirm who you are via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized for this second means of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register multiple verification devices. For more information about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Support Center managed services enable your information technology group to outsource Help Desk services to Progent or split activity for Service Desk support seamlessly between your internal network support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless extension of your internal network support resources. Client access to the Service Desk, provision of support, escalation, trouble ticket generation and tracking, efficiency metrics, and management of the service database are consistent regardless of whether issues are taken care of by your core support resources, by Progent, or both. Learn more about Progent's outsourced/shared Service Center services.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based machine learning technology to guard endpoint devices and physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based AV tools. Progent ASM services safeguard local and cloud-based resources and provides a single platform to address the complete malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a flexible and cost-effective solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information system. Besides maximizing the protection and functionality of your IT network, Progent's software/firmware update management services allow your IT team to focus on line-of-business projects and activities that derive maximum business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight ASM safeguards local and cloud resources and provides a unified platform to automate the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization experts can help your business to design and configure a ProSight ESP environment that meets your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.
For Baltimore 24-Hour Crypto Cleanup Consultants, contact Progent at 800-462-8800 or go to Contact Progent.