Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses of all sizes unprepared for an attack. Versions of ransomware such as Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been around for a long time and continue to inflict damage. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with more as yet unnamed newcomers, not only encrypt on-line data but also infiltrate any accessible system protection mechanisms. Information synched to cloud environments can also be ransomed. In a poorly designed system, this can render any recovery useless and basically sets the datacenter back to square one.

Retrieving programs and data after a ransomware outage becomes a race against the clock as the targeted business fights to stop lateral movement and remove the crypto-ransomware and to restore mission-critical operations. Because ransomware needs time to replicate, attacks are usually sprung during weekends and nights, when penetrations in many cases take more time to discover. This multiplies the difficulty of promptly assembling and coordinating a qualified response team.

Progent provides a range of help services for securing enterprises from crypto-ransomware attacks. These include team member training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with AI technology from SentinelOne to identify and disable new cyber attacks intelligently. Progent in addition offers the services of veteran ransomware recovery engineers with the track record and commitment to restore a breached network as quickly as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the needed keys to unencrypt any of your data. Kaspersky determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to re-install the vital components of your Information Technology environment. Absent access to full system backups, this calls for a broad complement of skills, well-coordinated team management, and the capability to work continuously until the recovery project is done.

For two decades, Progent has made available certified expert Information Technology services for companies in Broomfield and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience provides Progent the ability to rapidly understand necessary systems and organize the surviving parts of your Information Technology environment following a ransomware event and assemble them into a functioning system.

Progent's recovery team uses top notch project management systems to orchestrate the complex recovery process. Progent understands the urgency of working quickly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put essential applications back on line as soon as humanly possible.

Case Study: A Successful Ransomware Virus Response
A customer engaged Progent after their network was attacked by Ryuk ransomware virus. Ryuk is thought to have been launched by Northern Korean state hackers, possibly adopting techniques exposed from America�s NSA organization. Ryuk attacks specific organizations with limited room for disruption and is among the most profitable incarnations of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area with about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's backups had been online at the time of the attack and were destroyed. The client considered paying the ransom (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.


"I can�t speak enough about the expertise Progent provided us during the most critical period of (our) company�s survival. We had little choice but to pay the cyber criminals except for the confidence the Progent group gave us. That you could get our e-mail system and key servers back online in less than one week was incredible. Each consultant I interacted with or texted at Progent was urgently focused on getting us back online and was working breakneck pace on our behalf."

Progent worked hand in hand the client to quickly understand and prioritize the critical areas that had to be recovered in order to restart business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent followed AV/Malware Processes penetration mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the work of recovering Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses� MRP software leveraged Microsoft SQL, which depends on Windows AD for access to the data.

Within 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then performed rebuilding and hard drive recovery on essential applications. All Exchange data and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Off-Line Data Files) on user desktop computers to recover mail data. A recent offline backup of the customer�s accounting/ERP software made them able to recover these required programs back on-line. Although major work needed to be completed to recover fully from the Ryuk event, the most important systems were returned to operations rapidly:


"For the most part, the assembly line operation never missed a beat and we made all customer orders."

Throughout the next few weeks key milestones in the restoration process were accomplished through close collaboration between Progent team members and the customer:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully restored.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the user PCs were functioning as before the incident.

"So much of what happened in the initial days is nearly entirely a blur for me, but our team will not forget the urgency each of your team accomplished to give us our business back. I�ve been working together with Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A probable company-ending catastrophe was dodged through the efforts of top-tier professionals, a wide spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware penetration described here should have been identified and blocked with advanced security solutions and best practices, team education, and well thought out security procedures for backup and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has proven experience in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), I�m grateful for making it so I could get rested after we got through the first week. Everyone did an incredible job, and if anyone that helped is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Broomfield a variety of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services incorporate next-generation machine learning capability to detect zero-day strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to address the entire threat lifecycle including filtering, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with legal and industry information protection regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup operations and enable transparent backup and fast restoration of vital files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, user error, malicious employees, or application glitches. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to provide centralized management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further layer of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, reconfigure and debug their connectivity hardware like routers, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network diagrams are kept current, copies and manages the configuration of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating tedious management activities, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, locating devices that need important software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating at peak levels by checking the state of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your assigned Progent consultant so all looming problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved easily to an alternate hardware solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can save up to half of time spent looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior analysis technology to guard endpoints as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. Progent ASM services protect on-premises and cloud resources and provides a unified platform to automate the entire malware attack lifecycle including blocking, identification, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Call Center Managed Services
    Progent's Call Center managed services enable your information technology staff to offload Help Desk services to Progent or divide responsibilities for support services transparently between your in-house support group and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless supplement to your corporate IT support staff. User access to the Service Desk, delivery of support services, problem escalation, ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent whether issues are resolved by your in-house network support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of all sizes a flexible and affordable solution for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information system. Besides optimizing the protection and functionality of your computer network, Progent's patch management services allow your in-house IT team to concentrate on more strategic projects and tasks that derive maximum business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a protected application and give your password you are asked to verify who you are via a unit that only you possess and that uses a separate network channel. A broad range of devices can be used as this second means of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. To find out more about Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
For Broomfield 24-Hour CryptoLocker Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.