Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and continue to inflict harm. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as daily unnamed viruses, not only encrypt on-line information but also infiltrate many accessible system protection mechanisms. Data synched to cloud environments can also be corrupted. In a vulnerable environment, it can make automated restoration useless and effectively sets the entire system back to zero.

Retrieving applications and information following a ransomware event becomes a race against the clock as the targeted organization struggles to contain the damage and clear the ransomware and to restore enterprise-critical activity. Because crypto-ransomware requires time to spread, attacks are usually launched on weekends and holidays, when successful penetrations are likely to take longer to recognize. This multiplies the difficulty of quickly assembling and organizing a knowledgeable response team.

Progent offers a variety of services for securing organizations from ransomware penetrations. These include staff training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security appliances with AI capabilities from SentinelOne to identify and disable zero-day cyber threats quickly. Progent in addition offers the assistance of expert ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Following a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will return the codes to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files even after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the essential parts of your Information Technology environment. Absent access to complete information backups, this calls for a broad range of skill sets, professional team management, and the willingness to work 24x7 until the job is over.

For decades, Progent has provided professional IT services for businesses in Broomfield and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience affords Progent the capability to quickly determine important systems and integrate the surviving components of your computer network environment after a crypto-ransomware attack and rebuild them into a functioning network.

Progent's security group deploys top notch project management systems to coordinate the complex recovery process. Progent appreciates the urgency of working swiftly and together with a customer's management and IT resources to prioritize tasks and to put critical systems back on line as fast as humanly possible.

Business Case Study: A Successful Ransomware Penetration Response
A business engaged Progent after their network system was taken over by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state cybercriminals, suspected of using techniques leaked from the United States NSA organization. Ryuk targets specific companies with little or no tolerance for operational disruption and is among the most lucrative iterations of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in Chicago and has around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's data protection had been on-line at the start of the attack and were encrypted. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but ultimately reached out to Progent.


"I can't thank you enough in regards to the expertise Progent provided us throughout the most stressful period of (our) company's survival. We may have had to pay the hackers behind this attack if it wasn't for the confidence the Progent experts provided us. That you were able to get our e-mail system and critical applications back on-line sooner than seven days was amazing. Each expert I interacted with or communicated with at Progent was urgently focused on getting our system up and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to quickly understand and prioritize the critical applications that had to be restored to make it possible to continue company functions:

  • Active Directory (AD)
  • E-Mail
  • Accounting and Manufacturing Software
To get going, Progent followed ransomware event response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the process of bringing back online Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange messaging will not function without Windows AD, and the businesses' accounting and MRP system used SQL Server, which requires Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then completed rebuilding and storage recovery of key servers. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to collect intact OST data files (Outlook Email Off-Line Data Files) on staff desktop computers and laptops in order to recover mail information. A not too old offline backup of the client's accounting/ERP software made it possible to restore these essential applications back online for users. Although a lot of work still had to be done to recover completely from the Ryuk event, the most important systems were recovered rapidly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer orders."

Over the following couple of weeks important milestones in the recovery project were completed in tight cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were 100% operational.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the desktops and laptops were being used by staff.

"A lot of what occurred those first few days is mostly a fog for me, but my team will not soon forget the urgency each of the team accomplished to help get our business back. I've trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A likely business disaster was avoided due to hard-working professionals, a broad spectrum of knowledge, and tight collaboration. Although in post mortem the crypto-ransomware attack detailed here should have been identified and prevented with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and properly executed security procedures for data backup and applying software patches, the reality remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of professionals has extensive experience in ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), I'm grateful for making it so I could get some sleep after we got over the initial push. All of you did an fabulous job, and if any of your guys is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Broomfield a portfolio of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize modern AI capability to detect new strains of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools packaged within one agent managed from a single control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that allows you prove compliance with legal and industry data security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also assist you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a selection of offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your backup operations and allow transparent backup and fast restoration of vital files, apps, system images, plus VMs. ProSight DPS helps your business recover from data loss resulting from equipment failures, natural disasters, fire, malware such as ransomware, user error, malicious insiders, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security vendors to provide web-based management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding appliances that require critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system operating efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT personnel and your assigned Progent consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can save as much as 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior-based machine learning technology to defend endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Help Center services allow your information technology team to offload Help Desk services to Progent or split activity for Help Desk services seamlessly between your internal network support resources and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent extension of your in-house support group. Client interaction with the Service Desk, provision of support, issue escalation, trouble ticket creation and tracking, performance measurement, and management of the support database are cohesive regardless of whether issues are taken care of by your core support resources, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a versatile and affordable solution for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic information system. In addition to optimizing the security and functionality of your IT network, Progent's patch management services allow your in-house IT team to concentrate on line-of-business projects and activities that derive the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a secured online account and enter your password you are asked to confirm who you are via a unit that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized for this second form of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can designate several validation devices. To find out more about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of in-depth management reporting utilities created to work with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7 Broomfield Crypto Remediation Services, call Progent at 800-462-8800 or go to Contact Progent.