Crypto-Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as additional as yet unnamed malware, not only encrypt online information but also infect all accessible system restores and backups. Data synched to cloud environments can also be corrupted. In a vulnerable system, this can render automatic recovery impossible and effectively sets the datacenter back to square one.

Restoring programs and information following a ransomware attack becomes a race against time as the victim struggles to stop lateral movement and eradicate the ransomware and to resume business-critical operations. Because crypto-ransomware requires time to move laterally, penetrations are often sprung at night, when successful penetrations may take longer to detect. This compounds the difficulty of quickly mobilizing and coordinating a capable response team.

Progent provides an assortment of support services for securing organizations from crypto-ransomware events. Among these are user education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security gateways with AI technology from SentinelOne to identify and suppress new threats automatically. Progent in addition offers the assistance of experienced ransomware recovery engineers with the talent and perseverance to restore a compromised environment as urgently as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to unencrypt all your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the critical parts of your IT environment. Without access to essential information backups, this requires a broad complement of skill sets, professional team management, and the ability to work 24x7 until the task is completed.

For decades, Progent has offered professional Information Technology services for companies in Bellevue and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience provides Progent the capability to knowledgably identify important systems and re-organize the surviving components of your IT system following a ransomware attack and configure them into a functioning system.

Progent's security team deploys state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent understands the urgency of working quickly and together with a customer's management and IT staff to assign priority to tasks and to get key services back online as soon as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Response
A customer hired Progent after their organization was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean government sponsored cybercriminals, suspected of using techniques exposed from the U.S. National Security Agency. Ryuk attacks specific businesses with little or no room for operational disruption and is one of the most lucrative examples of crypto-ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with about 500 workers. The Ryuk event had disabled all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and hoping for good luck, but ultimately called Progent.


"I can't say enough about the care Progent provided us during the most fearful period of (our) company's existence. We had little choice but to pay the criminal gangs except for the confidence the Progent team provided us. That you could get our e-mail and production servers back on-line faster than one week was amazing. Every single expert I interacted with or communicated with at Progent was urgently focused on getting our company operational and was working non-stop to bail us out."

Progent worked hand in hand the client to rapidly determine and prioritize the mission critical systems that needed to be recovered in order to resume company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware incident response industry best practices by halting the spread and clearing infected systems. Progent then started the work of recovering Windows Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Exchange messaging will not work without Active Directory, and the businesses' financials and MRP system used SQL Server, which depends on Windows AD for access to the databases.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then initiated rebuilding and storage recovery of needed servers. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to find local OST files (Microsoft Outlook Offline Folder Files) on staff workstations in order to recover email messages. A not too old off-line backup of the businesses financials/MRP software made it possible to restore these essential applications back online for users. Although significant work needed to be completed to recover totally from the Ryuk damage, essential services were returned to operations quickly:


"For the most part, the production line operation was never shut down and we delivered all customer deliverables."

During the next month critical milestones in the recovery project were made in tight collaboration between Progent team members and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • 90% of the user workstations were operational.

"So much of what went on in the initial days is mostly a blur for me, but my management will not forget the urgency all of you accomplished to give us our business back. I have utilized Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This time was a life saver."

Conclusion
A probable business-killing catastrophe was avoided with dedicated professionals, a broad array of IT skills, and close collaboration. Although in retrospect the ransomware virus penetration detailed here should have been blocked with advanced security technology solutions and recognized best practices, staff education, and well designed incident response procedures for data backup and applying software patches, the fact is that state-sponsored hackers from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for allowing me to get rested after we made it through the most critical parts. Everyone did an incredible job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Bellevue a range of remote monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services include modern AI capability to uncover new strains of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to manage the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you prove compliance with legal and industry information protection standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate attention. Progent can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your backup operations and allow transparent backup and rapid recovery of important files, apps, system images, plus VMs. ProSight DPS helps you recover from data loss caused by hardware failures, natural calamities, fire, malware such as ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to provide web-based management and world-class protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a further level of analysis for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to diagram, monitor, optimize and debug their connectivity hardware such as routers, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that require critical software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your network running at peak levels by tracking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT staff and your Progent consultant so that all potential issues can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis tools to defend endpoints and physical and virtual servers against new malware attacks such as ransomware and email phishing, which routinely evade traditional signature-based AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Call Center services allow your IT staff to outsource Help Desk services to Progent or divide activity for Help Desk services seamlessly between your in-house support team and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless supplement to your corporate IT support team. Client access to the Service Desk, delivery of support, escalation, ticket creation and updates, performance metrics, and management of the service database are cohesive whether incidents are taken care of by your core network support resources, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the security and reliability of your computer environment, Progent's patch management services permit your in-house IT staff to focus on line-of-business initiatives and activities that deliver maximum business value from your information network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you log into a protected online account and give your password you are asked to verify your identity on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized for this second means of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can designate several verification devices. For more information about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of in-depth reporting plug-ins created to work with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Bellevue Ransomware Remediation Consulting, call Progent at 800-462-8800 or go to Contact Progent.