Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that represents an existential danger for organizations unprepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause harm. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent as yet unnamed newcomers, not only encrypt online critical data but also infiltrate most accessible system restores and backups. Files synched to the cloud can also be encrypted. In a poorly architected environment, it can make automated restoration useless and basically sets the datacenter back to square one.

Getting back on-line applications and data following a ransomware event becomes a sprint against the clock as the targeted business fights to contain the damage and remove the crypto-ransomware and to resume business-critical operations. Due to the fact that crypto-ransomware takes time to move laterally, attacks are usually sprung at night, when successful attacks typically take more time to uncover. This compounds the difficulty of rapidly assembling and organizing an experienced response team.

Progent has a range of help services for securing organizations from crypto-ransomware penetrations. Among these are team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to discover and quarantine new threats automatically. Progent also provides the assistance of seasoned crypto-ransomware recovery engineers with the track record and commitment to restore a compromised network as soon as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the codes to decipher any of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to re-install the essential components of your Information Technology environment. Without the availability of full information backups, this calls for a wide complement of skills, top notch team management, and the ability to work non-stop until the job is completed.

For twenty years, Progent has provided professional IT services for companies in Chattanooga and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently ascertain critical systems and integrate the remaining components of your computer network environment following a ransomware event and configure them into an operational system.

Progent's ransomware group deploys top notch project management systems to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working rapidly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to put critical services back on line as soon as humanly possible.

Client Case Study: A Successful Ransomware Incident Recovery
A small business sought out Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, possibly adopting techniques exposed from the United States NSA organization. Ryuk targets specific organizations with little tolerance for disruption and is among the most profitable iterations of ransomware malware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately reached out to Progent.


"I can't say enough in regards to the support Progent provided us throughout the most stressful time of (our) businesses existence. We had little choice but to pay the Hackers if it wasn't for the confidence the Progent team afforded us. The fact that you were able to get our messaging and important servers back faster than seven days was earth shattering. Each consultant I talked with or communicated with at Progent was urgently focused on getting us back on-line and was working day and night on our behalf."

Progent worked together with the customer to quickly understand and assign priority to the key applications that needed to be recovered to make it possible to restart departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent adhered to Anti-virus incident mitigation industry best practices by isolating and clearing infected systems. Progent then initiated the task of restoring Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the businesses' accounting and MRP applications used SQL Server, which needs Active Directory for access to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished reinstallations and hard drive recovery of key servers. All Exchange data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Offline Data Files) on team PCs in order to recover email data. A not too old offline backup of the businesses manufacturing software made it possible to restore these essential programs back available to users. Although a lot of work was left to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the production manufacturing operation survived unscathed and we produced all customer deliverables."

Throughout the next few weeks important milestones in the recovery project were completed in tight cooperation between Progent team members and the client:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server containing more than 4 million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were fully operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the user desktops were operational.

"A lot of what was accomplished those first few days is nearly entirely a blur for me, but my team will not forget the dedication all of the team accomplished to help get our company back. I have been working together with Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This event was a life saver."

Conclusion
A possible business-ending catastrophe was dodged by dedicated professionals, a broad range of knowledge, and tight collaboration. Although in hindsight the crypto-ransomware virus incident detailed here should have been prevented with up-to-date security systems and ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for information protection and proper patching controls, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware virus, remember that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for letting me get some sleep after we got through the first week. Everyone did an amazing job, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Chattanooga a range of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize modern AI technology to detect new strains of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and offers a unified platform to automate the complete threat progression including protection, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that meets your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup software providers to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and allow non-disruptive backup and rapid recovery of vital files, apps, system images, and virtual machines. ProSight DPS lets you avoid data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security vendors to deliver web-based control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a further level of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map out, track, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating complex network management activities, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, finding devices that need critical updates, or resolving performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so that any potential problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior machine learning technology to guard endpoints as well as servers and VMs against modern malware assaults such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Support Desk services permit your information technology staff to offload Call Center services to Progent or divide activity for Service Desk support seamlessly between your internal network support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless supplement to your in-house network support staff. User access to the Help Desk, delivery of support, escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are consistent whether issues are taken care of by your corporate support group, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer businesses of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. In addition to optimizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your in-house IT staff to concentrate on more strategic projects and activities that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to verify who you are via a unit that only you possess and that is accessed using a separate network channel. A wide selection of devices can be utilized for this added form of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register multiple validation devices. To learn more about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Chattanooga 24/7 Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.