Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with more unnamed viruses, not only encrypt on-line files but also infect many accessible system restores and backups. Data synchronized to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, it can render any restore operations hopeless and effectively knocks the entire system back to zero.

Restoring applications and information following a ransomware event becomes a sprint against time as the targeted organization tries its best to contain the damage and remove the ransomware and to resume enterprise-critical operations. Since crypto-ransomware takes time to replicate, penetrations are often launched during nights and weekends, when attacks in many cases take more time to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable response team.

Progent has a range of help services for securing enterprises from crypto-ransomware attacks. These include user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security solutions with machine learning technology from SentinelOne to identify and extinguish new cyber attacks automatically. Progent in addition provides the services of experienced ransomware recovery engineers with the talent and commitment to restore a breached network as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that merciless criminals will respond with the keys to decrypt any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the key parts of your Information Technology environment. Absent access to full system backups, this requires a broad complement of skill sets, well-coordinated team management, and the capability to work non-stop until the task is done.

For twenty years, Progent has provided expert Information Technology services for businesses in Minnetonka and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably ascertain necessary systems and organize the surviving pieces of your Information Technology system following a ransomware event and configure them into an operational system.

Progent's security team uses top notch project management applications to coordinate the sophisticated restoration process. Progent understands the importance of working swiftly and in unison with a customer's management and IT team members to prioritize tasks and to put key services back on line as fast as possible.

Business Case Study: A Successful Ransomware Penetration Response
A client contacted Progent after their network system was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, possibly adopting strategies leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain operational disruption and is one of the most profitable versions of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area and has about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but in the end called Progent.


"I can't tell you enough about the support Progent provided us during the most critical time of (our) company's existence. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent team provided us. That you could get our messaging and key servers back on-line faster than 1 week was earth shattering. Each expert I got help from or messaged at Progent was totally committed on getting us working again and was working day and night on our behalf."

Progent worked together with the customer to quickly get our arms around and prioritize the essential areas that needed to be addressed in order to continue departmental operations:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent followed ransomware incident mitigation best practices by stopping lateral movement and performing virus removal steps. Progent then began the task of recovering Windows Active Directory, the heart of enterprise systems built upon Microsoft technology. Exchange messaging will not work without AD, and the businesses' MRP software utilized Microsoft SQL Server, which depends on Windows AD for security authorization to the data.

In less than 2 days, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with rebuilding and storage recovery on essential servers. All Microsoft Exchange Server schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to find local OST data files (Outlook Off-Line Data Files) on user workstations and laptops to recover mail information. A not too old offline backup of the client's accounting software made it possible to recover these required applications back online for users. Although a lot of work still had to be done to recover completely from the Ryuk event, core systems were restored rapidly:


"For the most part, the production operation showed little impact and we produced all customer deliverables."

Throughout the next few weeks important milestones in the restoration process were made in tight cooperation between Progent team members and the client:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Server containing more than four million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were 100 percent restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the user desktops and notebooks were being used by staff.

"A huge amount of what transpired in the initial days is nearly entirely a haze for me, but my management will not soon forget the dedication each of the team accomplished to give us our business back. I've been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was the most impressive ever."

Conclusion
A likely business-ending disaster was evaded due to dedicated professionals, a broad spectrum of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware attack described here should have been disabled with modern security systems and ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for data backup and applying software patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get some sleep after we got through the initial push. Everyone did an incredible effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Minnetonka a variety of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate modern artificial intelligence technology to detect zero-day strains of crypto-ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to address the complete malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through leading-edge technologies packaged within one agent managed from a single control. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with government and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also assist you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to create ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your data backup processes and enable non-disruptive backup and fast recovery of critical files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned insiders, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to provide centralized control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with a local gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outbound email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, enhance and debug their networking hardware like switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating tedious management activities, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that need important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your network running efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent consultant so that all potential problems can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save up to half of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based machine learning technology to guard endpoints and physical and virtual servers against new malware assaults like ransomware and email phishing, which easily escape traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Desk services allow your IT group to outsource Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal support resources and Progent's nationwide pool of IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your corporate network support organization. End user interaction with the Service Desk, provision of support, issue escalation, ticket generation and updates, performance metrics, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your in-house network support organization, by Progent, or both. Read more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of any size a versatile and cost-effective solution for assessing, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides optimizing the security and reliability of your computer network, Progent's software/firmware update management services free up time for your IT team to focus on line-of-business initiatives and activities that derive the highest business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with iOS, Android, and other personal devices. With Duo 2FA, when you sign into a protected online account and enter your password you are requested to verify who you are on a unit that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be used for this second means of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You can designate several validation devices. To find out more about ProSight Duo identity validation services, go to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of in-depth reporting plug-ins designed to integrate with the top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Minnetonka 24-Hour Crypto-Ransomware Recovery Services, contact Progent at 800-462-8800 or go to Contact Progent.