Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with more as yet unnamed newcomers, not only do encryption of online files but also infiltrate most configured system backup. Information synched to the cloud can also be encrypted. In a vulnerable data protection solution, this can make any restoration useless and effectively knocks the network back to zero.

Getting back applications and data after a crypto-ransomware intrusion becomes a race against the clock as the victim tries its best to stop lateral movement and clear the virus and to resume mission-critical activity. Due to the fact that ransomware requires time to move laterally, attacks are often launched on weekends, when successful penetrations tend to take longer to recognize. This compounds the difficulty of rapidly mobilizing and organizing a knowledgeable mitigation team.

Progent provides a range of support services for securing businesses from ransomware attacks. These include user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with artificial intelligence capabilities from SentinelOne to identify and extinguish zero-day cyber attacks quickly. Progent in addition offers the assistance of experienced ransomware recovery professionals with the skills and commitment to rebuild a breached system as quickly as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the codes to decrypt any of your data. Kaspersky estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the mission-critical elements of your IT environment. Without the availability of complete system backups, this calls for a broad range of IT skills, top notch project management, and the ability to work non-stop until the job is done.

For twenty years, Progent has provided expert Information Technology services for companies in Cambridge and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise affords Progent the capability to quickly determine critical systems and re-organize the surviving components of your computer network system following a ransomware event and assemble them into an operational network.

Progent's recovery team of experts utilizes top notch project management tools to orchestrate the complex restoration process. Progent knows the urgency of acting swiftly and in unison with a customer's management and Information Technology staff to prioritize tasks and to get critical applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Recovery
A client contacted Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been created by Northern Korean state cybercriminals, possibly using approaches leaked from the United States NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most profitable incarnations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has about 500 workers. The Ryuk penetration had disabled all company operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I can't speak enough about the support Progent provided us throughout the most fearful time of (our) company's survival. We had little choice but to pay the criminal gangs if it wasn't for the confidence the Progent team provided us. The fact that you could get our messaging and essential servers back into operation in less than a week was earth shattering. Each expert I talked with or messaged at Progent was laser focused on getting us operational and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly assess and prioritize the mission critical areas that needed to be addressed to make it possible to resume departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent followed AV/Malware Processes event response best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the steps of restoring Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not function without Windows AD, and the customer's financials and MRP system used Microsoft SQL Server, which needs Windows AD for authentication to the databases.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery on key applications. All Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to find local OST files (Outlook Off-Line Folder Files) on team workstations and laptops in order to recover email information. A recent off-line backup of the businesses accounting/MRP systems made them able to recover these vital programs back online. Although a large amount of work needed to be completed to recover totally from the Ryuk virus, the most important services were restored rapidly:


"For the most part, the production manufacturing operation never missed a beat and we did not miss any customer deliverables."

Throughout the following month important milestones in the recovery project were completed through close cooperation between Progent engineers and the client:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100% restored.
  • A new Palo Alto 850 firewall was brought on-line.
  • Nearly all of the desktop computers were operational.

"Much of what happened during the initial response is nearly entirely a haze for me, but we will not forget the care each and every one of you put in to give us our company back. I have utilized Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business extinction disaster was avoided due to dedicated professionals, a wide array of subject matter expertise, and tight collaboration. Although upon completion of forensics the ransomware virus incident detailed here would have been stopped with up-to-date cyber security technology solutions and best practices, user and IT administrator education, and well designed security procedures for backup and applying software patches, the reality remains that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get some sleep after we got past the initial push. All of you did an impressive effort, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Cambridge a portfolio of online monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services include modern machine learning technology to uncover zero-day variants of ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to address the complete malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools incorporated within a single agent managed from a single control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that meets your organization's unique requirements and that helps you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and enable non-disruptive backup and fast restoration of vital files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, user error, malicious insiders, or application glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller businesses to map out, monitor, enhance and debug their connectivity hardware like switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are detected. By automating tedious management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that require critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the state of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management personnel and your Progent consultant so any looming issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect data related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis tools to defend endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to automate the complete malware attack progression including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Call Desk managed services allow your information technology staff to outsource Help Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house network support staff and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent supplement to your in-house IT support organization. Client interaction with the Help Desk, provision of support services, issue escalation, ticket creation and tracking, performance measurement, and management of the support database are consistent regardless of whether issues are taken care of by your corporate IT support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide organizations of any size a flexible and affordable solution for assessing, validating, scheduling, implementing, and tracking updates to your dynamic information system. In addition to optimizing the protection and reliability of your IT network, Progent's software/firmware update management services free up time for your in-house IT team to focus on more strategic initiatives and tasks that deliver the highest business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo supports single-tap identity verification with Apple iOS, Google Android, and other personal devices. With 2FA, when you log into a secured online account and enter your password you are requested to confirm who you are on a device that only you have and that uses a separate network channel. A wide selection of devices can be used as this added means of authentication including a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate several validation devices. For details about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.
For 24x7 Cambridge Crypto Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.