Crypto-Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an extinction-level danger for businesses poorly prepared for an attack. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause havoc. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as more unnamed malware, not only do encryption of online files but also infect any available system protection mechanisms. Information synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can make any restore operations impossible and basically sets the network back to zero.

Getting back programs and information following a ransomware outage becomes a sprint against time as the victim tries its best to stop lateral movement and eradicate the virus and to restore business-critical activity. Due to the fact that ransomware needs time to replicate, attacks are usually launched on weekends and holidays, when penetrations typically take longer to discover. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced mitigation team.

Progent provides an assortment of support services for protecting enterprises from ransomware events. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with AI capabilities from SentinelOne to detect and extinguish new cyber attacks quickly. Progent in addition provides the services of expert crypto-ransomware recovery professionals with the skills and perseverance to restore a compromised environment as soon as possible.

Progent's Ransomware Restoration Support Services
After a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the codes to decrypt any or all of your data. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the mission-critical parts of your IT environment. Without the availability of complete information backups, this requires a wide complement of IT skills, top notch project management, and the ability to work non-stop until the task is finished.

For two decades, Progent has offered certified expert Information Technology services for businesses in Toledo and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity consultants have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial management and ERP software solutions. This breadth of experience gives Progent the skills to quickly identify important systems and organize the surviving components of your computer network system after a crypto-ransomware penetration and assemble them into an operational network.

Progent's ransomware group utilizes powerful project management applications to coordinate the sophisticated recovery process. Progent understands the importance of working rapidly and in unison with a customer�s management and IT resources to assign priority to tasks and to get essential systems back online as fast as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A client contacted Progent after their organization was taken over by the Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, possibly adopting strategies exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. The majority of the client's information backups had been online at the start of the intrusion and were damaged. The client was pursuing financing for paying the ransom (more than $200K) and wishfully thinking for good luck, but in the end engaged Progent.


"I can�t tell you enough about the expertise Progent gave us during the most stressful period of (our) businesses survival. We may have had to pay the cybercriminals except for the confidence the Progent team gave us. The fact that you were able to get our messaging and key applications back on-line in less than five days was something I thought impossible. Every single consultant I spoke to or e-mailed at Progent was hell bent on getting us working again and was working day and night on our behalf."

Progent worked together with the customer to rapidly get our arms around and assign priority to the critical elements that needed to be restored to make it possible to continue departmental operations:

  • Windows Active Directory
  • Electronic Messaging
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes penetration response industry best practices by stopping the spread and performing virus removal steps. Progent then began the steps of recovering Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the businesses� MRP system utilized Microsoft SQL, which requires Active Directory for security authorization to the information.

In less than two days, Progent was able to recover Active Directory to its pre-penetration state. Progent then accomplished rebuilding and storage recovery on key servers. All Exchange data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Email Offline Data Files) on staff desktop computers and laptops to recover email information. A recent offline backup of the client's accounting systems made them able to return these vital programs back online. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were recovered rapidly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer sales."

Throughout the following few weeks critical milestones in the recovery process were completed in close cooperation between Progent engineers and the customer:

  • In-house web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100 percent functional.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the user workstations were back into operation.

"A huge amount of what went on in the early hours is nearly entirely a blur for me, but my team will not forget the urgency each and every one of the team accomplished to give us our business back. I have utilized Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable business catastrophe was averted with results-oriented experts, a wide spectrum of technical expertise, and close collaboration. Although in post mortem the ransomware attack detailed here would have been identified and disabled with current cyber security technology solutions and ISO/IEC 27001 best practices, user training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has substantial experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for making it so I could get some sleep after we got over the most critical parts. Everyone did an fabulous job, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Toledo a variety of online monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services utilize next-generation AI technology to detect new strains of crypto-ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight ASM protects local and cloud resources and offers a single platform to manage the entire threat lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools packaged within one agent managed from a single control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with legal and industry information protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology providers to create ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable non-disruptive backup and rapid restoration of important files/folders, apps, system images, and VMs. ProSight DPS lets your business protect against data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, user error, malicious insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to deliver web-based management and world-class security for all your email traffic. The hybrid structure of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a first line of defense and keeps most threats from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further layer of inspection for inbound email. For outbound email, the local security gateway offers AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map out, track, reconfigure and debug their connectivity appliances such as switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating complex management activities, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that need important updates, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running at peak levels by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so any looming issues can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the applications. Since the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or domains. By updating and organizing your IT documentation, you can save up to half of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether youre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior machine learning tools to guard endpoint devices and servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the complete threat progression including protection, infiltration detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Help Center managed services enable your IT group to outsource Support Desk services to Progent or divide activity for Service Desk support transparently between your in-house network support staff and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth supplement to your corporate IT support group. End user interaction with the Service Desk, provision of support, escalation, ticket creation and updates, performance measurement, and maintenance of the support database are consistent whether issues are resolved by your in-house support resources, by Progent, or by a combination. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your IT staff to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. Using 2FA, when you log into a secured online account and enter your password you are asked to verify your identity on a device that only you have and that is accessed using a different network channel. A broad selection of devices can be used for this added form of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate several verification devices. To find out more about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication (2FA) services.
For 24x7x365 Toledo Crypto Recovery Help, call Progent at 800-462-8800 or go to Contact Progent.