Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that poses an extinction-level danger for organizations unprepared for an attack. Different versions of ransomware like the CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause havoc. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus frequent as yet unnamed malware, not only do encryption of online files but also infiltrate all available system restores and backups. Data replicated to cloud environments can also be ransomed. In a poorly architected data protection solution, this can make automatic restore operations impossible and effectively sets the entire system back to square one.

Getting back online services and information following a crypto-ransomware intrusion becomes a sprint against time as the victim tries its best to contain the damage and remove the ransomware and to restore enterprise-critical operations. Because ransomware requires time to move laterally, penetrations are usually launched on weekends, when successful penetrations may take more time to notice. This multiplies the difficulty of rapidly marshalling and organizing a capable response team.

Progent offers a variety of help services for protecting organizations from ransomware events. These include user education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security appliances with machine learning technology from SentinelOne to discover and disable zero-day threats quickly. Progent in addition provides the assistance of veteran ransomware recovery consultants with the talent and perseverance to restore a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will respond with the needed keys to decrypt any or all of your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the mission-critical elements of your Information Technology environment. Without the availability of full system backups, this requires a wide complement of IT skills, well-coordinated team management, and the willingness to work 24x7 until the job is done.

For twenty years, Progent has made available expert IT services for businesses in Charleston and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience gives Progent the ability to rapidly identify critical systems and organize the remaining components of your IT system following a ransomware event and rebuild them into an operational network.

Progent's security group deploys powerful project management systems to orchestrate the complex restoration process. Progent appreciates the urgency of working rapidly and together with a client's management and IT staff to prioritize tasks and to put the most important applications back online as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business escalated to Progent after their network system was brought down by the Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, suspected of using techniques leaked from America's NSA organization. Ryuk seeks specific organizations with little tolerance for operational disruption and is one of the most profitable versions of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago with about 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client considered paying the ransom (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately engaged Progent.


"I can't thank you enough in regards to the care Progent provided us throughout the most critical period of (our) businesses existence. We would have paid the cybercriminals if it wasn't for the confidence the Progent experts afforded us. The fact that you could get our e-mail and critical servers back online in less than 1 week was earth shattering. Each expert I talked with or messaged at Progent was hell bent on getting us back online and was working breakneck pace to bail us out."

Progent worked hand in hand the client to quickly get our arms around and assign priority to the key services that had to be recovered in order to resume departmental operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting/MRP
To begin, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the steps of recovering Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange email will not function without Active Directory, and the client's MRP system utilized SQL Server, which depends on Windows AD for security authorization to the databases.

In less than 48 hours, Progent was able to restore Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery of key systems. All Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Offline Data Files) on various desktop computers and laptops to recover email messages. A recent off-line backup of the businesses accounting/MRP systems made it possible to return these essential applications back online. Although a lot of work was left to recover completely from the Ryuk virus, essential services were recovered quickly:


"For the most part, the production manufacturing operation was never shut down and we delivered all customer shipments."

Throughout the following couple of weeks critical milestones in the recovery project were completed through tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was brought online and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory functions were completely recovered.
  • A new Palo Alto 850 security appliance was set up.
  • Most of the desktops and laptops were being used by staff.

"A lot of what went on in the early hours is nearly entirely a blur for me, but my management will not soon forget the countless hours all of your team put in to give us our company back. I've been working together with Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was a stunning achievement."

Conclusion
A possible business-ending catastrophe was averted by top-tier experts, a broad array of technical expertise, and tight collaboration. Although upon completion of forensics the ransomware virus incident detailed here could have been blocked with current cyber security technology and best practices, team training, and appropriate security procedures for data protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thanks very much for allowing me to get some sleep after we got past the first week. Everyone did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Charleston a variety of remote monitoring and security assessment services to assist you to minimize the threat from ransomware. These services incorporate modern machine learning technology to uncover zero-day strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including filtering, detection, containment, cleanup, and forensics. Top features include one-click rollback using Windows VSS and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup operations and allow transparent backup and rapid restoration of important files, apps, system images, plus VMs. ProSight DPS helps you protect against data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based management and world-class protection for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and debug their connectivity hardware such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating tedious management processes, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding devices that require important software patches, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by checking the state of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent engineering consultant so all looming problems can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior machine learning tools to defend endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Desk: Support Desk Managed Services
    Progent's Call Desk services permit your IT staff to outsource Call Center services to Progent or split activity for support services transparently between your internal support group and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless extension of your core support organization. End user access to the Service Desk, provision of support services, issue escalation, trouble ticket creation and updates, efficiency measurement, and management of the service database are consistent whether issues are taken care of by your internal support staff, by Progent, or by a combination. Learn more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a flexible and cost-effective alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the security and reliability of your IT environment, Progent's patch management services allow your IT staff to focus on line-of-business initiatives and tasks that deliver the highest business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo enables single-tap identity verification on iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a secured application and give your password you are asked to confirm your identity via a unit that only you possess and that uses a different ("out-of-band") network channel. A wide selection of devices can be utilized for this second means of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register multiple verification devices. For more information about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time management reporting plug-ins created to integrate with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7 Charleston CryptoLocker Removal Consulting, contact Progent at 800-462-8800 or go to Contact Progent.