Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus frequent as yet unnamed viruses, not only encrypt on-line critical data but also infect most configured system restores and backups. Information synched to off-site disaster recovery sites can also be corrupted. In a vulnerable system, it can render automatic restoration hopeless and effectively knocks the datacenter back to square one.

Getting back online programs and information after a ransomware attack becomes a sprint against time as the targeted organization struggles to stop the spread and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to move laterally, penetrations are usually sprung at night, when successful attacks tend to take longer to uncover. This multiplies the difficulty of promptly assembling and coordinating a capable response team.

Progent makes available a variety of solutions for securing organizations from crypto-ransomware attacks. Among these are staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with artificial intelligence technology from SentinelOne to detect and disable day-zero cyber attacks rapidly. Progent also offers the assistance of experienced ransomware recovery consultants with the skills and commitment to reconstruct a breached environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the keys to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the critical elements of your Information Technology environment. Without the availability of complete system backups, this requires a wide range of IT skills, top notch team management, and the willingness to work continuously until the job is over.

For twenty years, Progent has made available certified expert Information Technology services for companies in Broomfield and throughout the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience affords Progent the skills to knowledgably determine important systems and consolidate the surviving components of your computer network environment following a ransomware attack and assemble them into a functioning system.

Progent's security group utilizes powerful project management tools to orchestrate the sophisticated recovery process. Progent understands the importance of working swiftly and together with a customer's management and IT resources to assign priority to tasks and to get critical services back online as fast as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A small business sought out Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state cybercriminals, possibly adopting approaches leaked from the United States National Security Agency. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most profitable examples of ransomware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago and has around 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. The majority of the client's information backups had been on-line at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately made the decision to use Progent.


"I cannot speak enough in regards to the expertise Progent provided us throughout the most fearful period of (our) businesses survival. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent experts provided us. The fact that you were able to get our messaging and important applications back online in less than 1 week was incredible. Each person I worked with or communicated with at Progent was laser focused on getting us back online and was working breakneck pace to bail us out."

Progent worked hand in hand the customer to quickly assess and prioritize the key services that needed to be addressed in order to restart company operations:

  • Microsoft Active Directory
  • Electronic Messaging
  • Financials/MRP
To start, Progent followed Anti-virus incident mitigation best practices by halting the spread and cleaning up infected systems. Progent then began the steps of recovering Microsoft AD, the core of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the client's accounting and MRP applications utilized SQL Server, which needs Active Directory for authentication to the databases.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then helped perform reinstallations and hard drive recovery of critical servers. All Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Off-Line Data Files) on user PCs to recover mail data. A recent off-line backup of the customer's accounting/ERP systems made them able to restore these required services back online for users. Although a lot of work was left to recover completely from the Ryuk damage, critical systems were restored quickly:


"For the most part, the production line operation never missed a beat and we did not miss any customer sales."

During the next few weeks key milestones in the restoration project were achieved in close cooperation between Progent engineers and the client:

  • Internal web sites were restored without losing any information.
  • The MailStore Exchange Server with over 4 million archived messages was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were completely restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the desktop computers were fully operational.

"Much of what transpired in the initial days is mostly a blur for me, but our team will not forget the countless hours each and every one of your team accomplished to help get our business back. I have utilized Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A probable business-ending catastrophe was avoided due to hard-working professionals, a broad spectrum of IT skills, and tight teamwork. Although in retrospect the ransomware virus incident detailed here could have been shut down with modern security technology solutions and NIST Cybersecurity Framework best practices, staff training, and properly executed security procedures for information backup and applying software patches, the reality is that government-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get some sleep after we got past the first week. All of you did an incredible job, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Broomfield a range of remote monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate modern AI technology to detect new strains of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to address the entire malware attack lifecycle including protection, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's unique needs and that helps you prove compliance with legal and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also help your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup technology companies to create ProSight Data Protection Services, a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and enable transparent backup and rapid recovery of vital files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, human error, malicious employees, or application bugs. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and world-class protection for all your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of inspection for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map out, monitor, enhance and debug their networking appliances such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are discovered. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding devices that need important updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so all looming problems can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can save as much as half of time spent searching for vital information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior analysis technology to guard endpoints as well as physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-matching AV products. Progent ASM services protect local and cloud resources and offers a unified platform to address the entire malware attack lifecycle including blocking, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Support Center managed services allow your IT team to outsource Help Desk services to Progent or divide activity for support services transparently between your internal network support staff and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a transparent extension of your in-house support staff. End user interaction with the Service Desk, provision of technical assistance, escalation, trouble ticket creation and updates, performance metrics, and management of the support database are cohesive regardless of whether incidents are resolved by your internal IT support organization, by Progent's team, or both. Read more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the security and reliability of your computer network, Progent's software/firmware update management services allow your IT team to focus on line-of-business initiatives and tasks that derive the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you log into a protected online account and enter your password you are requested to verify your identity on a device that only you have and that uses a different network channel. A wide range of out-of-band devices can be used as this second means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For details about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services.
For Broomfield 24-7 Ransomware Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.