Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an assault. Versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause harm. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus daily as yet unnamed viruses, not only do encryption of on-line data files but also infiltrate all available system protection. Data synchronized to cloud environments can also be corrupted. In a vulnerable system, this can render automated restoration impossible and effectively sets the entire system back to zero.

Restoring applications and data following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization fights to contain the damage and remove the virus and to restore mission-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are frequently sprung on weekends and holidays, when attacks tend to take longer to uncover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified response team.

Progent has a variety of solutions for protecting enterprises from crypto-ransomware events. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security gateways with AI capabilities from SentinelOne to detect and suppress zero-day cyber threats quickly. Progent in addition offers the services of expert crypto-ransomware recovery engineers with the skills and commitment to reconstruct a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will return the needed keys to decipher all your information. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of essential information backups, this calls for a wide complement of skills, well-coordinated project management, and the willingness to work non-stop until the job is finished.

For two decades, Progent has made available expert Information Technology services for businesses in Minnetonka and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience gives Progent the skills to knowledgably ascertain critical systems and organize the remaining parts of your Information Technology system following a crypto-ransomware event and configure them into an operational system.

Progent's recovery team of experts uses best of breed project management tools to orchestrate the complex recovery process. Progent appreciates the importance of acting swiftly and together with a customer�s management and Information Technology team members to prioritize tasks and to get critical systems back online as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Response
A client escalated to Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is believed to have been deployed by North Korean state cybercriminals, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk seeks specific organizations with little room for operational disruption and is one of the most lucrative incarnations of ransomware viruses. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago with about 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing processes. Most of the client's backups had been online at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but in the end made the decision to use Progent.


"I can�t speak enough in regards to the support Progent provided us throughout the most critical time of (our) company�s existence. We had little choice but to pay the cyber criminals except for the confidence the Progent team afforded us. The fact that you were able to get our e-mail system and key servers back on-line in less than seven days was amazing. Every single person I spoke to or messaged at Progent was absolutely committed on getting us operational and was working all day and night to bail us out."

Progent worked hand in hand the client to quickly assess and prioritize the critical applications that had to be addressed to make it possible to continue departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by isolating and cleaning systems of viruses. Progent then started the steps of restoring Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the businesses� MRP applications leveraged SQL Server, which depends on Windows AD for authentication to the data.

Within 2 days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then initiated rebuilding and hard drive recovery on essential systems. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Off-Line Data Files) on staff workstations in order to recover mail messages. A not too old off-line backup of the businesses accounting systems made them able to return these vital programs back servicing users. Although a lot of work was left to recover totally from the Ryuk damage, the most important services were returned to operations quickly:


"For the most part, the production operation did not miss a beat and we delivered all customer deliverables."

Throughout the following month important milestones in the restoration process were completed through close collaboration between Progent engineers and the customer:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Server with over four million historical messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely restored.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Nearly all of the desktops and laptops were functioning as before the incident.

"So much of what was accomplished during the initial response is nearly entirely a haze for me, but my management will not forget the commitment each of your team put in to help get our business back. I have been working with Progent for the past 10 years, maybe more, and every time Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A probable enterprise-killing catastrophe was dodged with dedicated experts, a broad range of knowledge, and close collaboration. Although in post mortem the ransomware attack detailed here could have been identified and blocked with advanced security technology and security best practices, staff education, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thank you for letting me get some sleep after we made it through the most critical parts. Everyone did an impressive effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Minnetonka a range of remote monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services utilize modern machine learning capability to uncover new variants of crypto-ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to automate the entire threat progression including protection, identification, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP deployment that meets your company's specific needs and that allows you demonstrate compliance with government and industry data security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent can also assist your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services, a portfolio of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and enable non-disruptive backup and fast restoration of critical files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security companies to provide centralized control and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, optimize and troubleshoot their networking hardware such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when issues are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding devices that require important software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by tracking the health of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management staff and your assigned Progent engineering consultant so that all looming problems can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based machine learning tools to guard endpoints and servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-based AV tools. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to automate the entire threat progression including blocking, identification, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Help Center services allow your information technology group to offload Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support resources and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth supplement to your corporate network support resources. User interaction with the Help Desk, delivery of technical assistance, issue escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are resolved by your core network support organization, by Progent, or by a combination. Read more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and tracking updates to your ever-evolving information system. In addition to optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services free up time for your IT team to focus on line-of-business projects and activities that derive the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you log into a secured application and enter your password you are requested to confirm who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used as this second means of authentication such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate multiple validation devices. For more information about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.
For 24x7x365 Minnetonka Crypto-Ransomware Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.