Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus frequent as yet unnamed viruses, not only encrypt on-line files but also infiltrate any configured system backups. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed system, it can render any recovery useless and basically knocks the entire system back to zero.

Recovering services and information following a ransomware outage becomes a sprint against time as the targeted organization fights to stop the spread and remove the virus and to restore enterprise-critical operations. Since crypto-ransomware needs time to spread, assaults are frequently sprung on weekends, when penetrations are likely to take longer to uncover. This multiplies the difficulty of rapidly assembling and orchestrating a qualified mitigation team.

Progent has a variety of solutions for securing organizations from ransomware penetrations. These include staff education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with AI capabilities from SentinelOne to detect and suppress day-zero threats rapidly. Progent also can provide the assistance of seasoned crypto-ransomware recovery professionals with the track record and perseverance to restore a compromised network as urgently as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt all your data. Kaspersky ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the key elements of your Information Technology environment. Without access to complete system backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work non-stop until the recovery project is over.

For two decades, Progent has offered certified expert IT services for companies in Birmingham and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience affords Progent the skills to efficiently understand critical systems and consolidate the surviving pieces of your network environment following a crypto-ransomware attack and assemble them into a functioning network.

Progent's security team utilizes top notch project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working quickly and in unison with a client's management and IT resources to assign priority to tasks and to get key services back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Virus Restoration
A small business sought out Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state sponsored cybercriminals, possibly adopting algorithms leaked from America's National Security Agency. Ryuk seeks specific companies with little room for operational disruption and is one of the most lucrative iterations of crypto-ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area with around 500 staff members. The Ryuk penetration had shut down all company operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (more than $200K) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I can't tell you enough in regards to the help Progent gave us throughout the most fearful time of (our) businesses survival. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent experts provided us. The fact that you could get our messaging and important applications back faster than one week was incredible. Every single expert I talked with or communicated with at Progent was laser focused on getting us operational and was working breakneck pace to bail us out."

Progent worked with the client to rapidly determine and prioritize the mission critical areas that had to be addressed in order to restart business operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent followed Anti-virus incident response industry best practices by stopping lateral movement and removing active viruses. Progent then began the steps of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the customer's MRP applications used Microsoft SQL Server, which needs Active Directory services for access to the database.

Within 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery of critical systems. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops to recover mail data. A not too old offline backup of the businesses financials/ERP software made it possible to restore these essential programs back on-line. Although significant work remained to recover totally from the Ryuk attack, core systems were returned to operations rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we made all customer deliverables."

Throughout the following couple of weeks important milestones in the restoration process were completed through tight cooperation between Progent engineers and the customer:

  • Internal web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/AR/Inventory modules were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Ninety percent of the user PCs were fully operational.

"A huge amount of what went on those first few days is mostly a haze for me, but our team will not forget the countless hours all of you accomplished to help get our business back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A possible enterprise-killing catastrophe was averted through the efforts of results-oriented experts, a broad spectrum of technical expertise, and close collaboration. Although in retrospect the ransomware virus attack detailed here would have been disabled with current security solutions and recognized best practices, staff education, and properly executed security procedures for information protection and proper patching controls, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has proven experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thanks very much for allowing me to get some sleep after we made it through the first week. Everyone did an fabulous job, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Birmingham a portfolio of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include modern machine learning technology to detect zero-day variants of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to address the entire threat lifecycle including filtering, identification, mitigation, remediation, and forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge tools incorporated within one agent managed from a single control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with legal and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow transparent backup and fast recovery of vital files/folders, applications, images, plus virtual machines. ProSight DPS lets you protect against data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or software glitches. Managed services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security vendors to provide web-based management and comprehensive protection for your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of analysis for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, track, optimize and troubleshoot their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration of almost all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system running efficiently by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT management staff and your Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based machine learning tools to guard endpoints and servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to address the complete threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Call Desk services allow your IT staff to offload Support Desk services to Progent or divide responsibilities for support services transparently between your internal network support resources and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your internal IT support staff. Client interaction with the Help Desk, provision of support, issue escalation, ticket creation and updates, performance measurement, and management of the support database are cohesive whether issues are taken care of by your core network support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides maximizing the protection and reliability of your computer environment, Progent's patch management services permit your in-house IT team to focus on line-of-business projects and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you log into a secured application and give your password you are requested to confirm who you are on a device that only you possess and that uses a separate network channel. A wide selection of devices can be used as this added means of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. For more information about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of in-depth reporting plug-ins designed to integrate with the industry's top ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Birmingham Crypto-Ransomware Remediation Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.