Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more as yet unnamed malware, not only encrypt on-line data files but also infect many configured system backup. Files replicated to cloud environments can also be rendered useless. In a poorly architected environment, this can render automatic restore operations useless and basically knocks the network back to zero.

Getting back online applications and information after a ransomware attack becomes a race against time as the victim fights to stop lateral movement and remove the ransomware and to restore mission-critical activity. Due to the fact that crypto-ransomware takes time to replicate, assaults are often launched on weekends, when successful attacks tend to take more time to recognize. This compounds the difficulty of quickly mobilizing and coordinating a qualified response team.

Progent makes available an assortment of solutions for protecting businesses from ransomware penetrations. These include staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security solutions with machine learning capabilities from SentinelOne to identify and quarantine zero-day cyber threats quickly. Progent in addition offers the assistance of veteran crypto-ransomware recovery consultants with the skills and perseverance to restore a compromised system as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Subsequent to a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed codes to unencrypt any of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the mission-critical parts of your IT environment. Without the availability of essential information backups, this calls for a broad complement of IT skills, top notch team management, and the ability to work continuously until the task is complete.

For two decades, Progent has provided certified expert IT services for companies in Bristol and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience provides Progent the capability to quickly understand critical systems and integrate the surviving parts of your computer network environment following a ransomware penetration and assemble them into a functioning system.

Progent's recovery team utilizes best of breed project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of acting quickly and in unison with a customer�s management and IT team members to assign priority to tasks and to put the most important services back online as fast as possible.

Client Case Study: A Successful Ransomware Attack Response
A customer engaged Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state sponsored hackers, possibly using technology leaked from the U.S. National Security Agency. Ryuk seeks specific businesses with little ability to sustain operational disruption and is among the most profitable versions of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk event had shut down all business operations and manufacturing processes. Most of the client's backups had been on-line at the time of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200K) and praying for good luck, but in the end called Progent.


"I can�t thank you enough in regards to the expertise Progent provided us during the most stressful time of (our) businesses survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent group gave us. The fact that you could get our e-mail and key servers back in less than a week was earth shattering. Every single staff member I worked with or communicated with at Progent was hell bent on getting our company operational and was working non-stop on our behalf."

Progent worked hand in hand the client to quickly determine and assign priority to the critical systems that had to be restored to make it possible to continue departmental operations:

  • Active Directory (AD)
  • Email
  • MRP System
To begin, Progent adhered to Anti-virus incident mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then began the work of recovering Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange email will not function without Windows AD, and the customer�s accounting and MRP system utilized SQL Server, which requires Active Directory services for access to the information.

In less than two days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and storage recovery on essential applications. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user PCs to recover email information. A not too old offline backup of the customer�s accounting/MRP software made them able to return these essential programs back available to users. Although a large amount of work needed to be completed to recover completely from the Ryuk attack, critical services were restored rapidly:


"For the most part, the assembly line operation never missed a beat and we delivered all customer shipments."

During the following couple of weeks key milestones in the recovery project were accomplished in close cooperation between Progent team members and the customer:

  • In-house web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Nearly all of the desktops and laptops were fully operational.

"A lot of what happened that first week is nearly entirely a haze for me, but we will not forget the commitment each of your team accomplished to give us our business back. I have trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A probable business extinction disaster was evaded through the efforts of dedicated experts, a wide spectrum of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack detailed here should have been shut down with current security systems and NIST Cybersecurity Framework best practices, user and IT administrator education, and well thought out security procedures for data backup and applying software patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thanks very much for allowing me to get some sleep after we made it over the initial push. Everyone did an amazing effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Bristol a portfolio of online monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services include modern AI capability to uncover new variants of crypto-ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the entire malware attack lifecycle including protection, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and allow non-disruptive backup and rapid recovery of important files, applications, images, and virtual machines. ProSight DPS helps your business protect against data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, human error, malicious insiders, or application bugs. Managed backup services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security companies to deliver centralized control and world-class security for all your email traffic. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map, track, optimize and debug their networking appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding devices that require important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by tracking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT staff and your assigned Progent consultant so all potential issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether youre planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis technology to defend endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Help Desk services allow your information technology group to outsource Call Center services to Progent or split responsibilities for Service Desk support transparently between your internal network support staff and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent supplement to your in-house IT support team. User interaction with the Help Desk, delivery of support, issue escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the service database are cohesive whether issues are resolved by your core support group, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic information system. In addition to optimizing the protection and reliability of your IT environment, Progent's patch management services free up time for your IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. Using 2FA, when you sign into a secured online account and enter your password you are requested to verify who you are on a device that only you possess and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be utilized as this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate several validation devices. For more information about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication services.
For Bristol 24-7 CryptoLocker Removal Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.