Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses vulnerable to an assault. Different versions of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more unnamed malware, not only encrypt on-line data files but also infect many accessible system restores and backups. Files replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable system, this can render automated restoration useless and effectively knocks the entire system back to square one.

Recovering applications and information after a ransomware outage becomes a sprint against time as the targeted business tries its best to contain and cleanup the crypto-ransomware and to resume mission-critical operations. Since crypto-ransomware needs time to move laterally, attacks are often launched during nights and weekends, when successful attacks are likely to take longer to discover. This compounds the difficulty of promptly mobilizing and coordinating a capable mitigation team.

Progent has an assortment of help services for securing enterprises from ransomware events. Among these are staff training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with AI technology from SentinelOne to identify and disable day-zero threats rapidly. Progent in addition provides the services of seasoned crypto-ransomware recovery professionals with the skills and commitment to restore a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the keys to decrypt all your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the vital elements of your IT environment. Absent access to essential data backups, this calls for a wide complement of IT skills, professional team management, and the ability to work continuously until the recovery project is over.

For two decades, Progent has made available expert IT services for businesses in Chattanooga and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience provides Progent the skills to knowledgably identify critical systems and integrate the surviving parts of your Information Technology environment following a crypto-ransomware event and assemble them into a functioning system.

Progent's security team of experts deploys best of breed project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of working swiftly and in concert with a client's management and IT team members to assign priority to tasks and to get key systems back online as soon as possible.

Business Case Study: A Successful Ransomware Attack Response
A business contacted Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, suspected of adopting technology exposed from America's NSA organization. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is among the most lucrative iterations of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. The majority of the client's information backups had been online at the start of the intrusion and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and praying for the best, but in the end brought in Progent.


"I can't say enough in regards to the care Progent gave us during the most critical time of (our) company's survival. We would have paid the cyber criminals if not for the confidence the Progent group provided us. That you were able to get our messaging and production applications back on-line sooner than a week was incredible. Each staff member I got help from or e-mailed at Progent was urgently focused on getting us restored and was working all day and night to bail us out."

Progent worked hand in hand the customer to quickly assess and prioritize the essential applications that had to be addressed to make it possible to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent followed Anti-virus incident response best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the task of restoring Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server email will not operate without AD, and the client's MRP applications used SQL Server, which depends on Windows AD for authentication to the database.

Within 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of key applications. All Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Off-Line Folder Files) on various workstations and laptops to recover email data. A not too old offline backup of the businesses financials/MRP software made it possible to restore these essential services back on-line. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core systems were restored rapidly:


"For the most part, the manufacturing operation never missed a beat and we delivered all customer deliverables."

Throughout the next few weeks critical milestones in the restoration project were completed through tight cooperation between Progent consultants and the client:

  • In-house web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were fully restored.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the desktop computers were back into operation.

"Much of what went on that first week is mostly a fog for me, but my management will not soon forget the countless hours each of you put in to help get our company back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has come through and delivered. This event was a life saver."

Conclusion
A possible enterprise-killing catastrophe was evaded with results-oriented experts, a broad array of subject matter expertise, and close collaboration. Although upon completion of forensics the ransomware virus penetration detailed here should have been identified and stopped with advanced security solutions and security best practices, staff training, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, remember that Progent's team of experts has substantial experience in crypto-ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get some sleep after we got over the first week. All of you did an incredible effort, and if any of your team is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Chattanooga a portfolio of remote monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services include modern AI capability to detect new strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including filtering, detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent managed from a single console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's specific needs and that allows you demonstrate compliance with legal and industry information protection standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and rapid restoration of important files/folders, apps, images, and VMs. ProSight DPS lets you avoid data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, user error, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security vendors to deliver web-based control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and access points as well as servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always current, copies and displays the configuration of almost all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT personnel and your Progent engineering consultant so any potential issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect information about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your network documentation, you can eliminate as much as half of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to guard endpoint devices and servers and VMs against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to address the complete malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Desk: Call Center Managed Services
    Progent's Support Center managed services allow your information technology staff to offload Help Desk services to Progent or split responsibilities for support services seamlessly between your in-house support staff and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your in-house support team. User interaction with the Help Desk, provision of technical assistance, problem escalation, ticket generation and tracking, efficiency metrics, and maintenance of the support database are cohesive whether issues are taken care of by your in-house IT support staff, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable alternative for assessing, testing, scheduling, applying, and documenting updates to your dynamic information system. In addition to maximizing the protection and functionality of your IT environment, Progent's patch management services free up time for your IT staff to concentrate on line-of-business projects and tasks that derive maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using 2FA, whenever you sign into a secured application and enter your password you are asked to confirm who you are on a unit that only you have and that uses a separate network channel. A wide selection of devices can be used for this added means of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate several verification devices. For details about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time and in-depth management reporting tools created to work with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Chattanooga 24x7x365 Crypto-Ransomware Recovery Help, contact Progent at 800-462-8800 or go to Contact Progent.