Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for organizations unprepared for an attack. Versions of crypto-ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with additional unnamed newcomers, not only do encryption of on-line information but also infect most accessible system restores and backups. Data replicated to off-site disaster recovery sites can also be corrupted. In a poorly architected data protection solution, it can render automatic restore operations impossible and effectively sets the network back to zero.

Getting back applications and data after a crypto-ransomware attack becomes a sprint against time as the targeted organization struggles to contain the damage and clear the virus and to restore mission-critical activity. Due to the fact that ransomware takes time to spread, penetrations are frequently launched during nights and weekends, when attacks may take longer to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable response team.

Progent offers an assortment of help services for protecting enterprises from ransomware attacks. Among these are staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security solutions with machine learning technology from SentinelOne to detect and suppress day-zero threats rapidly. Progent also provides the assistance of experienced crypto-ransomware recovery professionals with the skills and commitment to restore a breached system as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed keys to unencrypt any of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the mission-critical components of your Information Technology environment. Without the availability of essential system backups, this requires a broad range of IT skills, well-coordinated team management, and the capability to work continuously until the task is done.

For twenty years, Progent has provided certified expert IT services for businesses in Cambridge and throughout the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise affords Progent the skills to knowledgably determine critical systems and organize the remaining pieces of your Information Technology system following a ransomware attack and rebuild them into a functioning network.

Progent's recovery team of experts uses powerful project management applications to coordinate the complicated recovery process. Progent knows the importance of acting quickly and together with a client's management and IT team members to prioritize tasks and to put key services back on line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Attack Restoration
A small business hired Progent after their company was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean government sponsored cybercriminals, possibly using algorithms exposed from the U.S. NSA organization. Ryuk goes after specific companies with limited ability to sustain disruption and is one of the most lucrative examples of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area with about 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. Most of the client's information backups had been on-line at the time of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and hoping for good luck, but ultimately utilized Progent.


"I can't speak enough about the expertise Progent gave us during the most critical time of (our) company's existence. We most likely would have paid the cyber criminals behind the attack except for the confidence the Progent experts afforded us. That you were able to get our messaging and important servers back online sooner than one week was something I thought impossible. Each expert I talked with or e-mailed at Progent was absolutely committed on getting our company operational and was working day and night to bail us out."

Progent worked hand in hand the client to quickly understand and prioritize the mission critical services that had to be restored to make it possible to resume business operations:

  • Active Directory (AD)
  • Email
  • Accounting/MRP
To begin, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the task of bringing back online Microsoft Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the businesses' accounting and MRP applications used Microsoft SQL, which requires Windows AD for security authorization to the database.

In less than two days, Progent was able to restore Active Directory services to its pre-virus state. Progent then helped perform reinstallations and hard drive recovery of key applications. All Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Outlook Email Offline Folder Files) on user PCs and laptops to recover email messages. A not too old offline backup of the client's accounting/MRP software made them able to restore these vital applications back online for users. Although significant work still had to be done to recover totally from the Ryuk attack, critical systems were returned to operations quickly:


"For the most part, the production line operation survived unscathed and we delivered all customer shipments."

Throughout the next couple of weeks important milestones in the restoration process were achieved in close collaboration between Progent engineers and the client:

  • Internal web sites were restored without losing any information.
  • The MailStore Server with over 4 million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control capabilities were completely functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Most of the desktop computers were operational.

"So much of what happened in the initial days is mostly a haze for me, but I will not forget the commitment each and every one of the team accomplished to help get our company back. I have been working together with Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This time was a testament to your capabilities."

Conclusion
A probable business-ending disaster was avoided by results-oriented experts, a wide spectrum of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware incident described here would have been identified and prevented with up-to-date security systems and ISO/IEC 27001 best practices, user training, and well designed incident response procedures for information protection and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I'm grateful for making it so I could get some sleep after we made it through the initial fire. Everyone did an impressive job, and if any of your team is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Cambridge a range of remote monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning technology to uncover new strains of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data protection regulations. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow transparent backup and rapid restoration of critical files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, user mistakes, malicious insiders, or software glitches. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security companies to provide web-based control and comprehensive security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper layer of inspection for incoming email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, enhance and debug their networking appliances like switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating tedious management processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding appliances that need important software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so any potential problems can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior analysis tools to guard endpoints as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely get by legacy signature-based AV products. Progent ASM services protect local and cloud resources and offers a single platform to manage the complete malware attack lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Help Desk services enable your IT group to offload Call Center services to Progent or split activity for Help Desk services transparently between your in-house support group and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Shared Service Desk offers a seamless extension of your in-house support group. End user access to the Help Desk, delivery of support services, escalation, trouble ticket creation and updates, efficiency measurement, and management of the service database are cohesive regardless of whether incidents are taken care of by your corporate IT support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic IT network. Besides maximizing the protection and reliability of your IT network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other out-of-band devices. Using 2FA, when you log into a secured online account and give your password you are asked to confirm who you are on a device that only you possess and that uses a different network channel. A wide selection of devices can be utilized as this added means of ID validation such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several verification devices. For more information about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of in-depth reporting plug-ins designed to integrate with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7 Cambridge CryptoLocker Cleanup Consulting, contact Progent at 800-462-8800 or go to Contact Progent.