Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that poses an extinction-level danger for businesses vulnerable to an assault. Different versions of crypto-ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still inflict harm. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as frequent unnamed viruses, not only encrypt on-line critical data but also infiltrate any accessible system restores and backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can render any restore operations impossible and effectively knocks the datacenter back to zero.

Getting back on-line programs and data following a ransomware attack becomes a race against time as the targeted organization struggles to contain and remove the ransomware and to restore business-critical operations. Since ransomware needs time to replicate, assaults are usually sprung on weekends and holidays, when successful attacks typically take more time to uncover. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.

Progent offers a range of solutions for protecting enterprises from ransomware attacks. Among these are staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security gateways with machine learning technology from SentinelOne to detect and suppress new threats intelligently. Progent also offers the services of experienced crypto-ransomware recovery consultants with the skills and perseverance to rebuild a breached environment as quickly as possible.

Progent's Ransomware Restoration Services
After a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the needed keys to decipher any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the vital parts of your IT environment. Without the availability of complete information backups, this calls for a broad complement of IT skills, well-coordinated team management, and the ability to work continuously until the job is over.

For twenty years, Progent has provided professional Information Technology services for businesses in Birmingham and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience affords Progent the capability to efficiently identify necessary systems and re-organize the remaining parts of your Information Technology system following a ransomware penetration and configure them into an operational system.

Progent's security team utilizes top notch project management tools to coordinate the complex restoration process. Progent knows the urgency of acting rapidly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to get the most important services back on-line as fast as possible.

Case Study: A Successful Crypto-Ransomware Virus Restoration
A client escalated to Progent after their company was taken over by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, possibly using technology leaked from America's NSA organization. Ryuk seeks specific organizations with limited ability to sustain operational disruption and is one of the most profitable iterations of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago and has around 500 staff members. The Ryuk event had frozen all company operations and manufacturing capabilities. Most of the client's backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.


"I cannot speak enough about the care Progent gave us throughout the most stressful period of (our) businesses existence. We may have had to pay the Hackers except for the confidence the Progent team provided us. That you could get our messaging and essential applications back quicker than 1 week was beyond my wildest dreams. Each person I interacted with or communicated with at Progent was amazingly focused on getting us operational and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly identify and assign priority to the mission critical services that had to be recovered in order to resume departmental functions:

  • Windows Active Directory
  • Exchange Server
  • MRP System
To get going, Progent adhered to ransomware event response best practices by halting the spread and disinfecting systems. Progent then started the steps of rebuilding Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the customer's MRP software utilized Microsoft SQL Server, which depends on Windows AD for access to the data.

In less than two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed rebuilding and storage recovery of the most important systems. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user desktop computers in order to recover mail data. A recent offline backup of the businesses financials/ERP software made them able to restore these required services back available to users. Although a lot of work was left to recover totally from the Ryuk virus, critical systems were restored quickly:


"For the most part, the production manufacturing operation never missed a beat and we made all customer shipments."

Throughout the following few weeks important milestones in the restoration project were made in tight collaboration between Progent consultants and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server with over 4 million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Most of the user workstations were back into operation.

"A lot of what was accomplished those first few days is mostly a blur for me, but we will not forget the care each and every one of you accomplished to give us our business back. I've been working together with Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This time was a stunning achievement."

Conclusion
A likely enterprise-killing disaster was dodged due to dedicated experts, a broad range of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware virus penetration described here would have been identified and prevented with current security solutions and recognized best practices, team training, and properly executed security procedures for backup and proper patching controls, the reality is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thank you for making it so I could get rested after we got past the most critical parts. Everyone did an fabulous effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Birmingham a portfolio of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include modern machine learning technology to uncover new strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a single platform to address the entire threat progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with legal and industry information security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also help your company to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup processes and allow transparent backup and fast restoration of critical files, applications, images, and virtual machines. ProSight DPS helps you protect against data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to provide centralized management and world-class security for all your email traffic. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's on-premises gateway device adds a deeper level of analysis for inbound email. For outbound email, the local gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, track, enhance and debug their networking hardware like routers, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and sends notices when issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, finding appliances that need important software patches, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management personnel and your Progent consultant so that all looming problems can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported easily to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect data about your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to defend endpoint devices and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a single platform to automate the complete threat lifecycle including blocking, detection, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Support Desk services permit your information technology staff to outsource Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support resources and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your internal support resources. End user interaction with the Help Desk, delivery of technical assistance, problem escalation, trouble ticket generation and tracking, efficiency measurement, and maintenance of the support database are cohesive whether incidents are resolved by your internal network support resources, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on more strategic initiatives and activities that deliver maximum business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Google Android, and other personal devices. With 2FA, whenever you log into a protected online account and give your password you are asked to verify who you are via a unit that only you possess and that uses a separate network channel. A wide range of out-of-band devices can be utilized for this added means of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You can register several validation devices. For details about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of in-depth reporting plug-ins created to work with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Birmingham 24-7 Crypto-Ransomware Recovery Consulting, call Progent at 800-462-8800 or go to Contact Progent.