Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that represents an extinction-level threat for businesses of all sizes vulnerable to an assault. Different versions of ransomware like the Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus additional unnamed viruses, not only encrypt on-line data but also infiltrate all accessible system backups. Data synched to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can make any restore operations useless and effectively knocks the entire system back to square one.

Recovering applications and information after a ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and cleanup the crypto-ransomware and to restore enterprise-critical activity. Because ransomware takes time to replicate, attacks are frequently sprung on weekends, when successful penetrations typically take longer to identify. This compounds the difficulty of promptly assembling and coordinating an experienced mitigation team.

Progent has an assortment of help services for securing enterprises from ransomware events. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to detect and suppress new threats rapidly. Progent also offers the assistance of experienced ransomware recovery engineers with the skills and perseverance to reconstruct a compromised network as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that distant criminals will provide the needed keys to unencrypt any or all of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the vital parts of your Information Technology environment. Absent the availability of full system backups, this requires a wide complement of skills, top notch team management, and the ability to work non-stop until the recovery project is over.

For decades, Progent has offered expert IT services for companies in Boise and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP application software. This breadth of experience provides Progent the skills to rapidly determine critical systems and organize the surviving pieces of your Information Technology environment after a ransomware attack and rebuild them into a functioning network.

Progent's security team deploys state-of-the-art project management applications to coordinate the complex recovery process. Progent knows the importance of acting rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to put the most important services back on line as fast as humanly possible.

Case Study: A Successful Ransomware Intrusion Recovery
A customer hired Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, possibly adopting strategies leaked from America's National Security Agency. Ryuk goes after specific companies with limited ability to sustain disruption and is among the most lucrative instances of ransomware viruses. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business located in the Chicago metro area and has about 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end brought in Progent.


"I cannot tell you enough in regards to the expertise Progent gave us during the most stressful time of (our) company's existence. We may have had to pay the criminal gangs except for the confidence the Progent group afforded us. That you could get our e-mail and important servers back online in less than seven days was earth shattering. Each person I interacted with or communicated with at Progent was laser focused on getting my company operational and was working all day and night to bail us out."

Progent worked hand in hand the customer to quickly identify and assign priority to the most important systems that needed to be addressed to make it possible to restart departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes incident response best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of recovering Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Active Directory, and the businesses' financials and MRP software utilized Microsoft SQL Server, which depends on Active Directory services for authentication to the information.

In less than two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then completed reinstallations and hard drive recovery on essential servers. All Exchange ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Email Off-Line Folder Files) on staff workstations and laptops in order to recover mail information. A recent offline backup of the customer's financials/ERP systems made it possible to return these vital services back on-line. Although a large amount of work still had to be done to recover fully from the Ryuk attack, essential systems were returned to operations rapidly:


"For the most part, the production operation never missed a beat and we made all customer shipments."

Throughout the following couple of weeks key milestones in the recovery project were achieved through close collaboration between Progent engineers and the customer:

  • In-house web applications were brought back up with no loss of data.
  • The MailStore Exchange Server with over four million historical emails was brought on-line and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were completely functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the desktops and laptops were functioning as before the incident.

"A huge amount of what happened in the initial days is nearly entirely a fog for me, but I will not soon forget the dedication each and every one of you put in to help get our company back. I have entrusted Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business disaster was averted due to top-tier professionals, a broad spectrum of knowledge, and tight teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here could have been shut down with up-to-date cyber security solutions and security best practices, team education, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), I'm grateful for letting me get rested after we made it through the most critical parts. All of you did an incredible effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Boise a range of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services utilize next-generation AI technology to uncover zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to address the entire malware attack progression including filtering, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering via leading-edge tools incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that meets your organization's specific needs and that allows you prove compliance with government and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also help your company to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and enable transparent backup and fast recovery of important files, applications, images, and virtual machines. ProSight DPS lets your business avoid data loss caused by equipment failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to deliver centralized control and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your vulnerability to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of inspection for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept current, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating complex management activities, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding devices that need important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT staff and your assigned Progent engineering consultant so that any potential issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to guard endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-based AV products. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to manage the complete malware attack progression including protection, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Call Center managed services enable your information technology team to offload Help Desk services to Progent or split activity for support services seamlessly between your in-house support team and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a transparent extension of your corporate network support resources. Client access to the Service Desk, delivery of support, problem escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are cohesive whether issues are taken care of by your core support group, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT network. Besides maximizing the security and functionality of your IT network, Progent's patch management services permit your IT team to concentrate on line-of-business projects and tasks that derive the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. Using Duo 2FA, when you sign into a secured application and enter your password you are requested to verify who you are on a unit that only you possess and that is accessed using a separate network channel. A wide selection of devices can be used for this second means of ID validation including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate multiple verification devices. For details about ProSight Duo identity validation services, refer to Duo MFA two-factor authentication services.
For Boise 24x7x365 Crypto-Ransomware Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.