Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for organizations poorly prepared for an attack. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with frequent unnamed viruses, not only encrypt online information but also infiltrate most configured system restores and backups. Information synched to the cloud can also be rendered useless. In a poorly architected environment, it can make any restoration hopeless and effectively sets the datacenter back to zero.

Getting back on-line programs and data following a ransomware attack becomes a race against the clock as the targeted organization tries its best to contain and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware takes time to spread, assaults are frequently sprung on weekends and holidays, when attacks may take more time to notice. This multiplies the difficulty of promptly marshalling and coordinating a knowledgeable response team.

Progent has a range of services for securing organizations from ransomware attacks. Among these are team education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security solutions with machine learning technology from SentinelOne to detect and disable day-zero threats quickly. Progent in addition can provide the assistance of veteran ransomware recovery consultants with the talent and perseverance to re-deploy a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware event, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed keys to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the essential parts of your IT environment. Without the availability of complete system backups, this calls for a broad complement of skill sets, top notch project management, and the capability to work non-stop until the task is finished.

For decades, Progent has provided certified expert Information Technology services for businesses in Boise and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience affords Progent the capability to knowledgably ascertain critical systems and integrate the remaining components of your Information Technology environment after a crypto-ransomware penetration and assemble them into a functioning system.

Progent's security team of experts uses best of breed project management applications to orchestrate the complicated restoration process. Progent understands the urgency of acting swiftly and in unison with a client's management and IT resources to prioritize tasks and to put essential applications back online as soon as possible.

Customer Story: A Successful Crypto-Ransomware Attack Recovery
A business contacted Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is believed to have been deployed by Northern Korean government sponsored cybercriminals, suspected of using strategies exposed from America�s NSA organization. Ryuk targets specific organizations with little room for disruption and is among the most profitable incarnations of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing processes. The majority of the client's data protection had been on-line at the time of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately called Progent.


"I can�t tell you enough about the support Progent gave us throughout the most stressful period of (our) company�s survival. We had little choice but to pay the cyber criminals if it wasn�t for the confidence the Progent group provided us. The fact that you could get our messaging and production applications back online faster than one week was amazing. Every single consultant I worked with or e-mailed at Progent was absolutely committed on getting my company operational and was working at all hours on our behalf."

Progent worked hand in hand the client to rapidly understand and assign priority to the critical systems that needed to be addressed to make it possible to continue company operations:

  • Active Directory
  • Email
  • Accounting/MRP
To begin, Progent followed Anti-virus incident response best practices by isolating and cleaning systems of viruses. Progent then started the process of bringing back online Windows Active Directory, the heart of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer�s MRP system used Microsoft SQL, which needs Active Directory services for access to the databases.

Within two days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform setup and hard drive recovery of essential applications. All Exchange Server schema and configuration information were intact, which facilitated the restore of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Offline Data Files) on user workstations and laptops in order to recover email messages. A recent offline backup of the customer�s financials/ERP systems made it possible to recover these essential programs back servicing users. Although a large amount of work remained to recover fully from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer shipments."

Over the following few weeks critical milestones in the recovery project were made through tight collaboration between Progent engineers and the client:

  • In-house web applications were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were completely recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the desktop computers were being used by staff.

"Much of what occurred in the early hours is mostly a fog for me, but I will not forget the countless hours each and every one of your team accomplished to give us our company back. I have entrusted Progent for the past ten years, maybe more, and each time Progent has come through and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A likely company-ending disaster was evaded through the efforts of dedicated professionals, a wide range of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration described here should have been prevented with current cyber security technology and NIST Cybersecurity Framework best practices, team education, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for letting me get rested after we made it past the initial push. Everyone did an amazing effort, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Boise a variety of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to address the entire malware attack lifecycle including filtering, identification, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering through cutting-edge tools packaged within one agent managed from a single console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that meets your company's specific needs and that allows you demonstrate compliance with government and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup software companies to create ProSight Data Protection Services (DPS), a portfolio of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and allow transparent backup and fast restoration of important files/folders, applications, images, and VMs. ProSight DPS lets you recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security vendors to provide web-based control and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, track, optimize and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and generates notices when problems are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding devices that need critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that uses advanced remote monitoring and management technology to keep your IT system running at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT management personnel and your assigned Progent engineering consultant so any looming issues can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youre making enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to guard endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to address the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Center: Call Center Managed Services
    Progent's Call Desk services enable your information technology staff to outsource Call Center services to Progent or divide activity for support services seamlessly between your in-house network support staff and Progent's nationwide pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless extension of your core support team. Client interaction with the Help Desk, provision of support services, escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the support database are consistent regardless of whether incidents are resolved by your internal support resources, by Progent, or by a combination. Find out more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of any size a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. In addition to optimizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your in-house IT team to focus on line-of-business initiatives and activities that derive maximum business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Android, and other personal devices. Using 2FA, whenever you sign into a secured online account and give your password you are asked to verify your identity via a unit that only you have and that uses a separate network channel. A wide selection of devices can be utilized for this second means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several verification devices. For details about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services.
For 24x7 Boise Crypto Cleanup Services, call Progent at 800-462-8800 or go to Contact Progent.