Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an enterprise-level threat for businesses vulnerable to an attack. Versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause destruction. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent as yet unnamed viruses, not only encrypt on-line data but also infiltrate any available system protection. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can make any restoration hopeless and effectively knocks the entire system back to zero.

Recovering applications and information following a crypto-ransomware attack becomes a race against time as the targeted business fights to stop lateral movement and clear the virus and to resume mission-critical operations. Since ransomware requires time to move laterally, attacks are usually sprung on weekends and holidays, when successful penetrations are likely to take longer to notice. This compounds the difficulty of rapidly assembling and orchestrating a capable mitigation team.

Progent makes available a range of help services for securing organizations from crypto-ransomware attacks. Among these are team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with artificial intelligence technology from SentinelOne to identify and extinguish new cyber threats quickly. Progent also offers the services of experienced crypto-ransomware recovery engineers with the track record and perseverance to restore a breached network as quickly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed codes to decrypt all your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the essential elements of your IT environment. Without the availability of full system backups, this calls for a wide complement of IT skills, top notch team management, and the ability to work continuously until the task is completed.

For decades, Progent has provided certified expert IT services for companies in Toledo and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to quickly ascertain necessary systems and consolidate the surviving parts of your IT system following a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware team of experts uses top notch project management systems to coordinate the sophisticated restoration process. Progent knows the importance of acting quickly and together with a customer's management and Information Technology team members to assign priority to tasks and to get essential services back online as fast as possible.

Client Case Study: A Successful Ransomware Intrusion Response
A customer hired Progent after their network was crashed by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, suspected of adopting techniques leaked from America's NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most lucrative iterations of crypto-ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's data protection had been online at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and hoping for good luck, but in the end utilized Progent.


"I can't speak enough about the support Progent gave us during the most stressful time of (our) company's existence. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent group gave us. That you could get our e-mail system and production applications back online quicker than one week was earth shattering. Each staff member I spoke to or communicated with at Progent was laser focused on getting our company operational and was working all day and night to bail us out."

Progent worked with the customer to quickly get our arms around and assign priority to the critical areas that needed to be recovered in order to continue company functions:

  • Windows Active Directory
  • E-Mail
  • MRP System
To begin, Progent followed Anti-virus event response industry best practices by halting lateral movement and removing active viruses. Progent then began the steps of restoring Microsoft Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Active Directory, and the client's accounting and MRP software used Microsoft SQL, which depends on Windows AD for security authorization to the databases.

Within two days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of the most important applications. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Off-Line Folder Files) on various desktop computers to recover mail messages. A not too old off-line backup of the customer's financials/ERP software made them able to return these required programs back on-line. Although major work needed to be completed to recover fully from the Ryuk damage, essential services were returned to operations rapidly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer sales."

Over the following couple of weeks critical milestones in the recovery process were accomplished in close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • 90% of the user desktops were functioning as before the incident.

"Much of what was accomplished in the initial days is nearly entirely a haze for me, but my management will not soon forget the care all of the team put in to give us our company back. I've utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A potential business extinction disaster was evaded through the efforts of top-tier experts, a broad range of technical expertise, and close collaboration. Although in post mortem the ransomware attack described here could have been prevented with modern security technology solutions and NIST Cybersecurity Framework best practices, team education, and appropriate incident response procedures for data protection and proper patching controls, the reality is that state-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for making it so I could get rested after we got over the initial push. Everyone did an fabulous job, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Toledo a range of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence capability to detect zero-day strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching anti-virus tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack lifecycle including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge technologies packaged within one agent managed from a unified console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate action. Progent's consultants can also help your company to install and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software providers to create ProSight Data Protection Services, a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and track your backup operations and enable non-disruptive backup and fast recovery of vital files, applications, system images, plus VMs. ProSight DPS helps your business recover from data loss caused by hardware breakdown, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading data security companies to deliver centralized management and world-class protection for all your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device provides a deeper level of inspection for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, optimize and troubleshoot their networking hardware like switches, firewalls, and load balancers as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when issues are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, finding appliances that need important software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so any potential issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect information about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate up to half of time wasted looking for vital information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard endpoints and physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based anti-virus products. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to address the complete threat progression including filtering, infiltration detection, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Help Desk services enable your IT team to offload Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house network support team and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth extension of your core support team. User access to the Service Desk, delivery of support, escalation, ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether issues are taken care of by your internal network support group, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. Besides optimizing the protection and functionality of your computer environment, Progent's patch management services allow your in-house IT team to concentrate on line-of-business initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and give your password you are asked to verify your identity on a device that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be utilized as this second means of authentication including a smartphone or wearable, a hardware token, a landline phone, etc. You may register several verification devices. To learn more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services.
For 24-7 Toledo Crypto-Ransomware Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.