Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyberplague that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different versions of crypto-ransomware such as Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for a long time and still inflict havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with frequent unnamed viruses, not only encrypt online files but also infect any accessible system protection. Information replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can make automated restoration useless and basically sets the entire system back to square one.

Getting back services and data after a ransomware intrusion becomes a race against the clock as the victim struggles to stop the spread and remove the ransomware and to restore mission-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, penetrations are usually sprung on weekends and holidays, when attacks may take more time to notice. This multiplies the difficulty of promptly assembling and orchestrating a qualified response team.

Progent offers a range of services for protecting enterprises from ransomware events. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with machine learning capabilities from SentinelOne to identify and extinguish day-zero cyber attacks automatically. Progent in addition can provide the services of seasoned ransomware recovery engineers with the track record and perseverance to reconstruct a breached environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will respond with the keys to unencrypt any of your information. Kaspersky estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to piece back together the vital elements of your IT environment. Without the availability of complete system backups, this requires a wide range of IT skills, professional project management, and the willingness to work non-stop until the recovery project is complete.

For decades, Progent has offered certified expert Information Technology services for companies in Bristol and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of expertise provides Progent the ability to rapidly identify necessary systems and re-organize the remaining parts of your computer network system following a crypto-ransomware event and configure them into a functioning network.

Progent's security group has powerful project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working quickly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to put essential services back on line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Penetration Recovery
A business contacted Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state sponsored hackers, possibly adopting techniques exposed from the U.S. National Security Agency. Ryuk attacks specific companies with little or no room for disruption and is one of the most profitable iterations of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk event had paralyzed all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and hoping for good luck, but ultimately brought in Progent.


"I cannot thank you enough in regards to the help Progent provided us throughout the most fearful time of (our) company's survival. We may have had to pay the hackers behind this attack if not for the confidence the Progent experts gave us. The fact that you were able to get our messaging and critical servers back sooner than a week was incredible. Every single person I talked with or texted at Progent was absolutely committed on getting our company operational and was working non-stop on our behalf."

Progent worked with the customer to rapidly determine and prioritize the most important elements that needed to be recovered to make it possible to restart business functions:

  • Windows Active Directory
  • Exchange Server
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the task of bringing back online Windows Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange messaging will not operate without AD, and the customer's financials and MRP system leveraged SQL Server, which depends on Windows AD for authentication to the database.

Within 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then accomplished setup and storage recovery on the most important servers. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST files (Microsoft Outlook Offline Folder Files) on team desktop computers in order to recover email information. A recent offline backup of the businesses manufacturing software made it possible to restore these vital programs back on-line. Although major work needed to be completed to recover totally from the Ryuk virus, core systems were restored quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer sales."

Over the next couple of weeks key milestones in the recovery process were accomplished in tight cooperation between Progent team members and the customer:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were 100 percent operational.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"So much of what went on those first few days is nearly entirely a fog for me, but my management will not forget the countless hours each and every one of the team put in to give us our company back. I have been working with Progent for the past ten years, possibly more, and each time Progent has shined and delivered. This situation was a stunning achievement."

Conclusion
A likely business-killing disaster was dodged due to hard-working experts, a wide array of IT skills, and tight collaboration. Although in hindsight the crypto-ransomware virus penetration described here should have been identified and blocked with current security systems and recognized best practices, user and IT administrator training, and well designed security procedures for backup and applying software patches, the fact is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), I'm grateful for allowing me to get some sleep after we made it through the most critical parts. All of you did an fabulous job, and if any of your team is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Bristol a variety of online monitoring and security assessment services to help you to minimize the threat from ransomware. These services include modern AI capability to uncover new variants of crypto-ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to address the entire malware attack lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you prove compliance with government and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent attention. Progent can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow transparent backup and fast recovery of important files/folders, apps, system images, plus virtual machines. ProSight DPS helps you avoid data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user error, malicious employees, or application bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security companies to deliver centralized control and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, enhance and debug their connectivity hardware such as routers and switches, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and displays the configuration of almost all devices on your network, monitors performance, and sends notices when problems are discovered. By automating tedious network management activities, WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that require critical updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management technology to help keep your IT system running efficiently by checking the state of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so all looming problems can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management includes a common repository for holding and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis technology to defend endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to automate the complete threat progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Call Desk managed services enable your information technology staff to offload Help Desk services to Progent or divide activity for Service Desk support transparently between your in-house support group and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a seamless supplement to your internal network support resources. Client access to the Service Desk, delivery of technical assistance, problem escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the service database are consistent whether issues are resolved by your core IT support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information system. Besides optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that deliver the highest business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification with Apple iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a secured online account and give your password you are asked to confirm who you are on a device that only you possess and that is accessed using a separate network channel. A broad selection of devices can be used as this second form of authentication including a smartphone or watch, a hardware token, a landline phone, etc. You may register several verification devices. For details about ProSight Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time reporting plug-ins designed to integrate with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Bristol 24/7 Ransomware Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.