Crypto-Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Multiple generations of crypto-ransomware such as Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict harm. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus daily unnamed viruses, not only encrypt online data files but also infect many available system protection mechanisms. Files synched to cloud environments can also be ransomed. In a vulnerable environment, this can render automated restoration useless and effectively knocks the datacenter back to zero.

Retrieving services and data after a crypto-ransomware attack becomes a sprint against time as the targeted business struggles to stop lateral movement and cleanup the crypto-ransomware and to resume enterprise-critical operations. Because ransomware needs time to replicate, assaults are frequently sprung during weekends and nights, when penetrations tend to take longer to identify. This multiplies the difficulty of rapidly mobilizing and orchestrating an experienced response team.

Progent has a range of support services for protecting organizations from ransomware events. Among these are staff training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with machine learning technology from SentinelOne to discover and disable zero-day cyber threats quickly. Progent in addition can provide the services of expert ransomware recovery professionals with the talent and commitment to reconstruct a breached environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the codes to decipher any or all of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Absent the availability of full system backups, this requires a broad range of skill sets, top notch project management, and the willingness to work 24x7 until the task is done.

For two decades, Progent has provided certified expert IT services for businesses in Columbus and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably understand important systems and consolidate the remaining components of your Information Technology environment after a ransomware attack and assemble them into an operational system.

Progent's ransomware team of experts deploys top notch project management systems to orchestrate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and IT team members to prioritize tasks and to put essential applications back on line as soon as possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their company was brought down by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state criminal gangs, possibly using techniques exposed from America's NSA organization. Ryuk goes after specific companies with little tolerance for disruption and is among the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer located in the Chicago metro area with about 500 employees. The Ryuk event had paralyzed all essential operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and praying for the best, but ultimately called Progent.


"I can't speak enough about the care Progent gave us during the most stressful time of (our) company's life. We had little choice but to pay the criminal gangs except for the confidence the Progent group afforded us. The fact that you could get our messaging and important applications back on-line sooner than five days was incredible. Every single staff member I spoke to or e-mailed at Progent was totally committed on getting us back on-line and was working at all hours to bail us out."

Progent worked with the client to quickly understand and assign priority to the mission critical applications that had to be recovered in order to resume company functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • MRP System
To begin, Progent followed AV/Malware Processes event response best practices by halting the spread and clearing infected systems. Progent then started the steps of rebuilding Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Exchange messaging will not work without Windows AD, and the customer's accounting and MRP applications utilized Microsoft SQL Server, which needs Active Directory services for authentication to the databases.

Within 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then performed reinstallations and hard drive recovery on key servers. All Exchange schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Microsoft Outlook Offline Data Files) on various workstations and laptops to recover email information. A not too old off-line backup of the client's manufacturing systems made them able to restore these essential applications back online for users. Although a lot of work still had to be done to recover completely from the Ryuk virus, critical services were recovered rapidly:


"For the most part, the production operation survived unscathed and we did not miss any customer shipments."

During the next few weeks key milestones in the restoration process were completed in close collaboration between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over four million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were completely recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the desktop computers were operational.

"Much of what occurred that first week is mostly a fog for me, but my team will not forget the dedication each of you accomplished to give us our business back. I have utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable business-ending disaster was averted through the efforts of dedicated professionals, a wide range of IT skills, and tight teamwork. Although upon completion of forensics the ransomware virus penetration detailed here could have been stopped with current security solutions and recognized best practices, staff training, and well designed security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, removal, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get rested after we made it through the most critical parts. Everyone did an incredible job, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Columbus a portfolio of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include modern AI technology to detect new strains of crypto-ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight ASM protects local and cloud resources and provides a single platform to manage the entire malware attack progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP environment that meets your company's unique needs and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also help your company to install and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup software providers to create ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your data backup operations and allow non-disruptive backup and rapid recovery of important files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver centralized management and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, monitor, reconfigure and troubleshoot their networking hardware such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating complex management and troubleshooting activities, WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, finding devices that require critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system running efficiently by tracking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management personnel and your Progent engineering consultant so all looming problems can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning tools to guard endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Support Desk services allow your IT staff to offload Call Center services to Progent or split responsibilities for Help Desk services seamlessly between your in-house support resources and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your internal IT support team. Client interaction with the Help Desk, delivery of support, problem escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the support database are consistent regardless of whether incidents are resolved by your core IT support staff, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a versatile and affordable solution for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving information network. Besides maximizing the security and reliability of your IT environment, Progent's software/firmware update management services free up time for your IT staff to concentrate on line-of-business initiatives and tasks that derive the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity verification with iOS, Android, and other personal devices. Using 2FA, when you sign into a protected online account and give your password you are requested to confirm who you are via a unit that only you have and that is accessed using a separate network channel. A broad selection of out-of-band devices can be used for this added means of authentication including a smartphone or watch, a hardware/software token, a landline telephone, etc. You may register multiple verification devices. To find out more about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time reporting plug-ins designed to work with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Columbus Crypto-Ransomware Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.