Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an existential threat for businesses of all sizes unprepared for an attack. Different versions of crypto-ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus daily unnamed newcomers, not only encrypt on-line critical data but also infect all configured system protection mechanisms. Files replicated to the cloud can also be ransomed. In a vulnerable data protection solution, it can make automatic restoration impossible and basically sets the datacenter back to square one.

Getting back services and data after a ransomware attack becomes a race against the clock as the targeted business fights to stop lateral movement and remove the ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware requires time to move laterally, penetrations are frequently launched on weekends, when successful penetrations may take longer to identify. This multiplies the difficulty of rapidly marshalling and coordinating a knowledgeable response team.

Progent offers an assortment of support services for securing organizations from ransomware attacks. These include user education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with AI capabilities from SentinelOne to detect and suppress day-zero cyber attacks intelligently. Progent in addition can provide the services of seasoned crypto-ransomware recovery engineers with the skills and perseverance to restore a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware attack, sending the ransom in cryptocurrency does not guarantee that distant criminals will provide the needed codes to decipher any of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the mission-critical parts of your IT environment. Absent the availability of complete data backups, this calls for a broad range of skills, professional team management, and the willingness to work non-stop until the job is over.

For twenty years, Progent has made available expert IT services for companies in Charleston and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise gives Progent the ability to quickly understand necessary systems and organize the surviving parts of your network system following a ransomware penetration and rebuild them into a functioning network.

Progent's recovery group deploys powerful project management tools to coordinate the complex recovery process. Progent knows the urgency of working rapidly and together with a client's management and IT team members to assign priority to tasks and to put the most important services back on line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Response
A business engaged Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been created by North Korean state criminal gangs, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk targets specific organizations with limited ability to sustain disruption and is among the most profitable versions of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago with about 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the intrusion and were damaged. The client was evaluating paying the ransom (more than $200,000) and praying for good luck, but ultimately made the decision to use Progent.


"I can't thank you enough in regards to the care Progent gave us throughout the most stressful time of (our) company's survival. We would have paid the cyber criminals if not for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and essential servers back online faster than five days was something I thought impossible. Each staff member I got help from or messaged at Progent was urgently focused on getting our company operational and was working 24 by 7 on our behalf."

Progent worked together with the client to rapidly determine and assign priority to the essential areas that needed to be restored in order to continue departmental functions:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To get going, Progent adhered to ransomware event response industry best practices by halting the spread and cleaning up infected systems. Progent then started the steps of recovering Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the customer's MRP system leveraged Microsoft SQL, which requires Windows AD for authentication to the database.

Within two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then helped perform reinstallations and storage recovery of mission critical applications. All Microsoft Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to locate intact OST data files (Outlook Email Off-Line Folder Files) on various workstations and laptops to recover mail information. A recent off-line backup of the client's financials/MRP systems made it possible to restore these essential applications back servicing users. Although a large amount of work still had to be done to recover fully from the Ryuk event, core systems were restored quickly:


"For the most part, the production operation showed little impact and we did not miss any customer deliverables."

During the next couple of weeks critical milestones in the recovery process were made in close cooperation between Progent engineers and the client:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Server exceeding four million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100% functional.
  • A new Palo Alto Networks 850 firewall was installed.
  • 90% of the desktops and laptops were fully operational.

"Much of what went on during the initial response is mostly a fog for me, but my team will not soon forget the countless hours each and every one of your team accomplished to give us our business back. I've been working together with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A potential business-killing disaster was dodged due to top-tier professionals, a wide range of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here would have been identified and prevented with up-to-date cyber security solutions and best practices, user and IT administrator training, and well thought out security procedures for backup and proper patching controls, the fact is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were involved), thank you for making it so I could get rested after we made it over the initial push. Everyone did an fabulous effort, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Charleston a range of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include next-generation artificial intelligence technology to uncover new variants of ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete malware attack progression including filtering, identification, mitigation, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with legal and industry information security regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent's consultants can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow transparent backup and rapid recovery of vital files/folders, applications, images, and virtual machines. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security vendors to deliver centralized management and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of threats from reaching your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, enhance and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are kept updated, captures and displays the configuration information of almost all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating complex network management activities, ProSight WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating appliances that need important software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so that any potential issues can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can save up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. Progent ASM services safeguard on-premises and cloud-based resources and offers a single platform to manage the entire malware attack progression including filtering, detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Call Desk services enable your information technology team to offload Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house network support resources and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a smooth supplement to your core IT support staff. Client access to the Help Desk, delivery of support services, issue escalation, trouble ticket generation and tracking, efficiency metrics, and management of the service database are cohesive whether incidents are resolved by your internal network support resources, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide organizations of all sizes a versatile and affordable solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. Besides maximizing the security and reliability of your IT network, Progent's patch management services allow your in-house IT staff to concentrate on line-of-business projects and activities that deliver the highest business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification on Apple iOS, Android, and other personal devices. With 2FA, whenever you sign into a protected application and enter your password you are asked to confirm who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be used for this second means of ID validation such as a smartphone or watch, a hardware token, a landline telephone, etc. You may designate several verification devices. To learn more about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time management reporting plug-ins designed to integrate with the leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Charleston CryptoLocker Remediation Help, call Progent at 800-462-8800 or go to Contact Progent.