Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for organizations unprepared for an assault. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still cause damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus more unnamed viruses, not only do encryption of on-line data files but also infiltrate any configured system backup. Information replicated to the cloud can also be encrypted. In a poorly architected environment, it can make automated restoration useless and effectively knocks the network back to zero.

Restoring applications and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted organization struggles to contain, cleanup the virus, and restore enterprise-critical operations. Due to the fact that ransomware requires time to spread, assaults are usually launched on weekends and holidays, when attacks typically take more time to uncover. This multiplies the difficulty of quickly marshalling and coordinating a knowledgeable response team.

Progent provides a variety of solutions for protecting enterprises from crypto-ransomware penetrations. These include staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to identify and suppress zero-day cyber threats rapidly. Progent in addition offers the services of expert crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a compromised environment as soon as possible.

Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware invasion, even paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will provide the needed codes to decrypt all your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom can reach millions. The alternative is to re-install the essential elements of your Information Technology environment. Without the availability of complete data backups, this calls for a broad range of skill sets, well-coordinated project management, and the ability to work non-stop until the recovery project is complete.

For two decades, Progent has offered professional IT services for businesses throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of experience affords Progent the ability to quickly understand important systems and consolidate the surviving pieces of your IT system after a crypto-ransomware attack and configure them into a functioning system.

Progent's security team has powerful project management tools to orchestrate the complex restoration process. Progent understands the urgency of acting quickly and in unison with a customer's management and Information Technology team members to prioritize tasks and to get the most important services back on line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Attack Recovery
A client contacted Progent after their company was crashed by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state sponsored cybercriminals, possibly using techniques exposed from the U.S. NSA organization. Ryuk targets specific businesses with little tolerance for disruption and is one of the most lucrative examples of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the attack and were destroyed. The client was actively seeking loans for paying the ransom (more than $200,000) and praying for good luck, but in the end made the decision to use Progent.


"I cannot thank you enough about the support Progent gave us throughout the most critical period of (our) businesses existence. We may have had to pay the hackers behind this attack if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail and essential servers back into operation quicker than 1 week was something I thought impossible. Each expert I talked with or e-mailed at Progent was absolutely committed on getting us operational and was working day and night to bail us out."

Progent worked with the customer to rapidly get our arms around and prioritize the essential elements that needed to be addressed to make it possible to resume company operations:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting/MRP
To start, Progent adhered to ransomware penetration response industry best practices by isolating and clearing infected systems. Progent then started the process of recovering Microsoft AD, the foundation of enterprise environments built on Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the customer's financials and MRP system used SQL Server, which needs Active Directory services for access to the databases.

In less than two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then initiated rebuilding and hard drive recovery on key systems. All Exchange schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to locate local OST files (Outlook Email Offline Data Files) on various PCs and laptops to recover email data. A recent offline backup of the customer's manufacturing software made them able to recover these essential services back on-line. Although significant work still had to be done to recover totally from the Ryuk virus, core systems were recovered quickly:


"For the most part, the production line operation survived unscathed and we made all customer shipments."

Throughout the following couple of weeks critical milestones in the restoration project were accomplished in tight collaboration between Progent engineers and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Exchange Server with over four million archived emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully restored.
  • A new Palo Alto Networks 850 firewall was set up.
  • Ninety percent of the user desktops and notebooks were operational.

"So much of what went on that first week is nearly entirely a blur for me, but we will not soon forget the commitment all of the team accomplished to help get our company back. I've utilized Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A possible business-ending catastrophe was dodged due to hard-working experts, a broad range of subject matter expertise, and close collaboration. Although in retrospect the ransomware virus attack described here should have been blocked with modern cyber security technology solutions and best practices, team education, and appropriate incident response procedures for data protection and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thank you for letting me get some sleep after we made it over the first week. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Birmingham a range of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of ransomware that can evade legacy signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management personnel and your Progent consultant so that all looming problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software delivers a unified, cloud-based solution for monitoring and managing your client-server infrastructure by providing an environment for streamlining common tedious tasks. These include health checking, patch management, automated repairs, endpoint setup, backup and restore, anti-virus response, secure remote access, standard and custom scripts, asset inventory, endpoint status reporting, and debugging assistance. If ProSight LAN Watch with NinjaOne RMM spots a serious issue, it transmits an alarm to your designated IT personnel and your assigned Progent consultant so emerging issues can be taken care of before they impact productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, optimize and debug their connectivity hardware like switches, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates notices when potential issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, locating appliances that require important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of in-depth reporting utilities created to work with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup technology providers to create ProSight Data Protection Services, a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable non-disruptive backup and fast recovery of important files/folders, applications, system images, and VMs. ProSight DPS helps you recover from data loss caused by equipment failures, natural calamities, fire, malware such as ransomware, human error, ill-intentioned employees, or software bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security companies to provide centralized control and comprehensive protection for all your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with a local security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a protected application and give your password you are asked to confirm who you are via a unit that only you have and that uses a separate network channel. A broad range of out-of-band devices can be utilized as this second form of authentication such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For details about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Call Center services allow your information technology team to outsource Help Desk services to Progent or split activity for support services transparently between your internal network support group and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your internal network support staff. Client interaction with the Service Desk, provision of support services, issue escalation, ticket generation and tracking, efficiency metrics, and maintenance of the service database are cohesive regardless of whether issues are taken care of by your core network support staff, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Service Desk services.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning tools to guard endpoint devices as well as servers and VMs against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to manage the complete threat lifecycle including filtering, identification, mitigation, remediation, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of all sizes a flexible and cost-effective solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. Besides maximizing the protection and functionality of your computer network, Progent's patch management services free up time for your IT staff to concentrate on more strategic projects and activities that deliver maximum business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and provides a unified platform to address the complete threat lifecycle including filtering, identification, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.
For 24x7 Birmingham CryptoLocker Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.