Crypto-Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that represents an enterprise-level threat for businesses unprepared for an assault. Versions of ransomware like the Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus frequent unnamed newcomers, not only encrypt on-line information but also infect any configured system restores and backups. Files synchronized to the cloud can also be corrupted. In a vulnerable environment, this can make automated recovery useless and basically sets the entire system back to square one.

Restoring applications and information after a ransomware event becomes a race against the clock as the targeted business fights to contain, eradicate the ransomware, and resume business-critical operations. Due to the fact that crypto-ransomware requires time to spread, penetrations are usually launched on weekends and holidays, when penetrations are likely to take longer to detect. This compounds the difficulty of quickly marshalling and coordinating a qualified mitigation team.

Progent has an assortment of support services for protecting organizations from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security solutions with machine learning technology from SentinelOne to identify and quarantine new cyber attacks automatically. Progent in addition offers the services of veteran ransomware recovery consultants with the skills and perseverance to restore a breached environment as quickly as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware invasion, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will return the needed codes to unencrypt any or all of your data. Kaspersky Labs determined that 17% of ransomware victims never recovered their data after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The alternative is to piece back together the key components of your Information Technology environment. Absent access to full system backups, this requires a wide range of IT skills, well-coordinated team management, and the capability to work continuously until the task is over.

For twenty years, Progent has provided expert Information Technology services for businesses across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience gives Progent the capability to quickly identify critical systems and re-organize the surviving components of your network system following a ransomware attack and rebuild them into an operational network.

Progent's security team uses top notch project management tools to coordinate the complex restoration process. Progent knows the importance of working quickly and together with a customer's management and Information Technology team members to prioritize tasks and to put critical services back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Incident Response
A business escalated to Progent after their company was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, suspected of using techniques leaked from the United States NSA organization. Ryuk targets specific businesses with limited tolerance for operational disruption and is among the most profitable examples of ransomware malware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's backups had been directly accessible at the time of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately engaged Progent.


"I can't say enough in regards to the care Progent provided us during the most fearful period of (our) businesses existence. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and essential servers back online in less than seven days was something I thought impossible. Each consultant I worked with or e-mailed at Progent was amazingly focused on getting us working again and was working non-stop to bail us out."

Progent worked hand in hand the client to rapidly identify and prioritize the essential systems that needed to be restored to make it possible to resume departmental functions:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then began the process of bringing back online Microsoft AD, the foundation of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the businesses' MRP applications utilized SQL Server, which requires Active Directory services for security authorization to the information.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then helped perform setup and hard drive recovery of needed servers. All Exchange schema and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to collect intact OST data files (Outlook Email Off-Line Folder Files) on staff workstations in order to recover email information. A recent off-line backup of the customer's accounting software made it possible to return these essential services back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer sales."

Over the following few weeks critical milestones in the recovery process were achieved in tight collaboration between Progent consultants and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Server containing more than four million archived emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were completely restored.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the desktop computers were being used by staff.

"Much of what went on during the initial response is mostly a haze for me, but I will not soon forget the countless hours each of the team accomplished to give us our company back. I have entrusted Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This time was a testament to your capabilities."

Conclusion
A probable company-ending catastrophe was avoided through the efforts of top-tier professionals, a broad spectrum of knowledge, and tight teamwork. Although in retrospect the ransomware virus incident detailed here should have been disabled with modern security solutions and security best practices, user training, and well thought out incident response procedures for information backup and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for allowing me to get some sleep after we got through the initial fire. Everyone did an impressive job, and if any of your team is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Boise a range of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to detect zero-day variants of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to address the complete malware attack progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that meets your company's unique needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent's consultants can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software providers to produce ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and allow transparent backup and fast recovery of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper level of analysis for incoming email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating tedious network management processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding appliances that need important updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management personnel and your Progent consultant so all potential problems can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning technology to defend endpoints and servers and VMs against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching AV products. Progent ASM services protect on-premises and cloud resources and provides a unified platform to address the entire malware attack lifecycle including blocking, detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Help Desk services allow your information technology team to outsource Help Desk services to Progent or divide activity for support services seamlessly between your in-house support group and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your internal network support organization. Client access to the Service Desk, provision of support, problem escalation, ticket creation and tracking, performance measurement, and management of the service database are cohesive whether incidents are resolved by your internal support organization, by Progent, or both. Read more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a versatile and affordable solution for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving IT network. In addition to optimizing the protection and reliability of your IT environment, Progent's patch management services permit your in-house IT staff to focus on line-of-business initiatives and activities that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo enables one-tap identity confirmation with iOS, Android, and other out-of-band devices. With Duo 2FA, when you log into a secured online account and give your password you are asked to confirm your identity via a unit that only you possess and that is accessed using a different network channel. A wide selection of out-of-band devices can be used for this added form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple validation devices. For details about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time management reporting utilities created to work with the industry's leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Boise 24-7 Ransomware Removal Services, reach out to Progent at 800-462-8800 or go to Contact Progent.