Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an existential danger for businesses unprepared for an assault. Different versions of ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and still cause destruction. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus daily unnamed newcomers, not only do encryption of on-line files but also infect all available system protection mechanisms. Files synchronized to cloud environments can also be rendered useless. In a vulnerable system, this can make automated restoration useless and effectively knocks the network back to square one.

Recovering services and data following a crypto-ransomware intrusion becomes a sprint against time as the targeted business tries its best to contain and remove the virus and to restore mission-critical activity. Since crypto-ransomware requires time to move laterally, attacks are usually launched on weekends and holidays, when successful attacks typically take longer to identify. This multiplies the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent has a variety of services for protecting enterprises from crypto-ransomware events. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of modern security gateways with machine learning capabilities from SentinelOne to identify and extinguish day-zero threats quickly. Progent also offers the assistance of expert ransomware recovery consultants with the track record and perseverance to re-deploy a compromised environment as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to decrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the vital parts of your Information Technology environment. Without access to essential data backups, this calls for a wide complement of IT skills, well-coordinated team management, and the ability to work non-stop until the task is completed.

For twenty years, Progent has offered professional IT services for companies in Milwaukee and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned top industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP application software. This breadth of experience affords Progent the skills to rapidly ascertain necessary systems and integrate the remaining parts of your IT system following a ransomware penetration and configure them into an operational network.

Progent's ransomware team of experts deploys powerful project management tools to orchestrate the complicated restoration process. Progent appreciates the urgency of acting swiftly and together with a customer's management and Information Technology resources to assign priority to tasks and to put critical services back online as soon as humanly possible.

Client Story: A Successful Ransomware Penetration Restoration
A client escalated to Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state criminal gangs, possibly adopting strategies exposed from America's NSA organization. Ryuk targets specific companies with limited room for operational disruption and is among the most profitable instances of ransomware malware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in Chicago and has about 500 workers. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for good luck, but in the end reached out to Progent.


"I cannot tell you enough about the support Progent gave us during the most stressful period of (our) company's existence. We would have paid the cyber criminals behind the attack except for the confidence the Progent group afforded us. The fact that you could get our e-mail and critical servers back online faster than one week was amazing. Every single consultant I worked with or communicated with at Progent was absolutely committed on getting our company operational and was working breakneck pace to bail us out."

Progent worked with the customer to quickly get our arms around and assign priority to the most important areas that had to be restored to make it possible to continue departmental operations:

  • Active Directory (AD)
  • E-Mail
  • MRP System
To start, Progent followed AV/Malware Processes penetration response industry best practices by stopping the spread and cleaning systems of viruses. Progent then began the process of bringing back online Microsoft AD, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Windows AD, and the businesses' accounting and MRP applications used SQL Server, which requires Windows AD for security authorization to the information.

Within two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and storage recovery of needed systems. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate local OST data files (Outlook Off-Line Data Files) on team workstations in order to recover email messages. A not too old offline backup of the businesses accounting/MRP software made them able to restore these essential services back servicing users. Although major work was left to recover fully from the Ryuk attack, essential systems were returned to operations quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we delivered all customer orders."

During the next month critical milestones in the restoration project were made in tight collaboration between Progent consultants and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Exchange Server containing more than four million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully recovered.
  • A new Palo Alto 850 security appliance was deployed.
  • Most of the user desktops and notebooks were being used by staff.

"A lot of what went on that first week is nearly entirely a blur for me, but our team will not forget the dedication all of the team put in to help get our business back. I've been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered. This event was a life saver."

Conclusion
A possible business extinction catastrophe was evaded through the efforts of results-oriented professionals, a wide range of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware penetration described here would have been identified and prevented with advanced security systems and ISO/IEC 27001 best practices, team training, and properly executed security procedures for information protection and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we made it through the initial fire. All of you did an amazing effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Milwaukee a variety of online monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services include next-generation artificial intelligence capability to uncover new strains of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to address the complete threat progression including protection, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device control, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and enable transparent backup and rapid restoration of vital files, applications, images, plus virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, user error, malicious employees, or software glitches. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to provide centralized control and world-class protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from reaching your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of inspection for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, track, reconfigure and troubleshoot their networking hardware like switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating complex network management processes, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding devices that need critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so any potential issues can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting environment without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based machine learning technology to defend endpoints and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Call Center Managed Services
    Progent's Call Center managed services enable your IT team to offload Help Desk services to Progent or split responsibilities for support services seamlessly between your internal support team and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless extension of your internal network support group. User interaction with the Help Desk, provision of technical assistance, problem escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are consistent whether incidents are resolved by your core network support group, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting updates to your dynamic IT system. Besides maximizing the security and reliability of your IT network, Progent's software/firmware update management services free up time for your IT team to focus on line-of-business initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables single-tap identity verification on iOS, Google Android, and other out-of-band devices. With 2FA, when you sign into a secured online account and enter your password you are asked to confirm who you are via a unit that only you have and that is accessed using a separate network channel. A wide range of devices can be used for this added form of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. For details about ProSight Duo identity validation services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of in-depth reporting plug-ins designed to integrate with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Milwaukee 24-7 Ransomware Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.