Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyberplague that represents an enterprise-level danger for organizations poorly prepared for an assault. Multiple generations of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with more unnamed newcomers, not only do encryption of on-line files but also infiltrate any available system restores and backups. Files synchronized to cloud environments can also be ransomed. In a vulnerable data protection solution, it can render automated restore operations useless and effectively knocks the network back to square one.

Getting back on-line services and data after a ransomware event becomes a race against time as the targeted organization tries its best to contain and eradicate the virus and to restore business-critical activity. Because ransomware takes time to spread, attacks are frequently launched on weekends, when successful attacks in many cases take longer to notice. This multiplies the difficulty of rapidly marshalling and coordinating an experienced response team.

Progent makes available a range of solutions for protecting organizations from ransomware events. Among these are team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security appliances with artificial intelligence capabilities from SentinelOne to discover and quarantine day-zero threats rapidly. Progent also offers the services of veteran ransomware recovery engineers with the talent and commitment to rebuild a breached environment as urgently as possible.

Progent's Ransomware Recovery Help
After a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to unencrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the vital components of your IT environment. Absent access to essential information backups, this requires a broad range of skills, professional team management, and the ability to work continuously until the recovery project is over.

For decades, Progent has provided professional Information Technology services for companies in Milwaukee and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of expertise gives Progent the skills to quickly understand critical systems and organize the surviving parts of your computer network system following a crypto-ransomware attack and rebuild them into an operational network.

Progent's security team utilizes state-of-the-art project management tools to orchestrate the complex restoration process. Progent understands the importance of acting swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to put essential systems back on-line as fast as possible.

Customer Case Study: A Successful Ransomware Intrusion Restoration
A client sought out Progent after their network system was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, possibly using algorithms exposed from the U.S. NSA organization. Ryuk attacks specific organizations with limited ability to sustain disruption and is among the most profitable examples of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has about 500 employees. The Ryuk penetration had paralyzed all company operations and manufacturing processes. Most of the client's backups had been directly accessible at the start of the attack and were encrypted. The client was taking steps for paying the ransom (more than $200K) and praying for good luck, but ultimately brought in Progent.


"I can't say enough about the expertise Progent gave us during the most fearful time of (our) businesses life. We would have paid the criminal gangs if it wasn't for the confidence the Progent group provided us. The fact that you could get our messaging and key servers back online in less than one week was beyond my wildest dreams. Every single expert I spoke to or texted at Progent was laser focused on getting us back online and was working at all hours on our behalf."

Progent worked together with the client to rapidly identify and prioritize the essential elements that needed to be recovered to make it possible to resume company operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent followed Anti-virus event response best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the process of rebuilding Windows Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the client's MRP applications utilized SQL Server, which requires Active Directory for authentication to the database.

Within two days, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery on key applications. All Microsoft Exchange Server data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Off-Line Data Files) on various PCs and laptops in order to recover mail data. A not too old off-line backup of the customer's financials/MRP software made them able to restore these essential services back available to users. Although a lot of work was left to recover fully from the Ryuk virus, core systems were recovered rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we delivered all customer deliverables."

Throughout the next month key milestones in the recovery process were completed in tight collaboration between Progent engineers and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Server exceeding 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory Control functions were completely recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user workstations were fully operational.

"Much of what happened in the early hours is mostly a blur for me, but I will not forget the dedication each of the team accomplished to give us our company back. I've utilized Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A likely company-ending catastrophe was evaded due to hard-working experts, a broad spectrum of subject matter expertise, and tight teamwork. Although in post mortem the crypto-ransomware virus attack described here should have been identified and stopped with current cyber security solutions and ISO/IEC 27001 best practices, user and IT administrator education, and properly executed incident response procedures for backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thanks very much for making it so I could get rested after we got over the initial push. All of you did an incredible job, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Milwaukee a range of remote monitoring and security assessment services designed to help you to minimize the threat from crypto-ransomware. These services utilize next-generation artificial intelligence technology to detect zero-day strains of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the complete malware attack progression including protection, identification, mitigation, remediation, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with government and industry data protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products manage and track your backup processes and enable transparent backup and rapid recovery of critical files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss caused by hardware failures, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to deliver centralized control and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their networking hardware like switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating complex management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, locating appliances that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network running efficiently by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management personnel and your Progent engineering consultant so all potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can eliminate up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis tools to guard endpoint devices and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. Progent ASM services protect local and cloud-based resources and provides a single platform to address the entire malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Support Center managed services allow your information technology group to offload Support Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house support resources and Progent's nationwide pool of certified IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent extension of your internal IT support resources. Client interaction with the Help Desk, delivery of support services, issue escalation, ticket generation and updates, efficiency measurement, and management of the service database are consistent regardless of whether issues are resolved by your internal IT support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, applying, and tracking updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your IT environment, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and tasks that derive maximum business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. With 2FA, when you log into a protected application and enter your password you are asked to confirm your identity via a unit that only you possess and that uses a different network channel. A wide selection of out-of-band devices can be utilized as this second means of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register several validation devices. To find out more about ProSight Duo identity validation services, visit Duo MFA two-factor authentication services.
For Milwaukee 24/7/365 Ransomware Cleanup Consulting, call Progent at 800-462-8800 or go to Contact Progent.