Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that presents an existential danger for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with daily unnamed malware, not only do encryption of on-line information but also infiltrate any available system backup. Files synchronized to the cloud can also be ransomed. In a poorly architected environment, it can render automatic recovery impossible and basically sets the network back to square one.

Restoring applications and data following a crypto-ransomware attack becomes a race against time as the targeted business tries its best to stop the spread and eradicate the virus and to restore business-critical activity. Since ransomware needs time to spread, attacks are usually sprung on weekends and holidays, when penetrations tend to take more time to recognize. This multiplies the difficulty of promptly assembling and orchestrating a qualified mitigation team.

Progent has a range of help services for securing organizations from ransomware penetrations. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to identify and quarantine zero-day threats quickly. Progent also offers the services of veteran ransomware recovery consultants with the talent and perseverance to reconstruct a breached environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will return the keys to decrypt all your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the key elements of your IT environment. Without access to essential information backups, this calls for a broad complement of IT skills, professional project management, and the capability to work 24x7 until the job is over.

For decades, Progent has offered professional IT services for companies in Minnetonka and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience provides Progent the skills to knowledgably identify critical systems and re-organize the remaining pieces of your network system after a ransomware event and rebuild them into an operational system.

Progent's recovery group deploys state-of-the-art project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of working rapidly and in unison with a customer's management and Information Technology team members to prioritize tasks and to put key services back on line as soon as humanly possible.

Client Story: A Successful Ransomware Penetration Response
A customer escalated to Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been created by North Korean state cybercriminals, suspected of using strategies exposed from America's NSA organization. Ryuk attacks specific businesses with limited ability to sustain disruption and is one of the most profitable incarnations of ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in Chicago with about 500 employees. The Ryuk event had shut down all company operations and manufacturing processes. Most of the client's information backups had been online at the time of the intrusion and were damaged. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end engaged Progent.


"I cannot speak enough about the care Progent gave us throughout the most critical period of (our) company's life. We may have had to pay the cybercriminals if not for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and important applications back into operation sooner than one week was earth shattering. Each expert I spoke to or texted at Progent was totally committed on getting us operational and was working day and night on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the essential elements that needed to be recovered in order to continue company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • MRP System
To start, Progent followed ransomware penetration mitigation best practices by halting the spread and performing virus removal steps. Progent then initiated the process of restoring Microsoft AD, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not function without AD, and the client's MRP system leveraged Microsoft SQL Server, which needs Windows AD for access to the information.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then performed setup and storage recovery on needed servers. All Microsoft Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to assemble local OST data files (Outlook Off-Line Data Files) on various PCs and laptops in order to recover mail messages. A recent off-line backup of the businesses financials/ERP software made it possible to restore these essential programs back online for users. Although significant work needed to be completed to recover totally from the Ryuk event, critical systems were returned to operations rapidly:


"For the most part, the production manufacturing operation survived unscathed and we produced all customer shipments."

During the next month critical milestones in the recovery process were made in close cooperation between Progent consultants and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were completely operational.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user PCs were operational.

"A huge amount of what was accomplished in the early hours is mostly a haze for me, but my team will not forget the care each and every one of the team put in to give us our business back. I've utilized Progent for the past ten years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A probable enterprise-killing disaster was dodged through the efforts of dedicated experts, a wide range of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware attack detailed here would have been blocked with current cyber security technology solutions and security best practices, staff education, and well thought out incident response procedures for data protection and proper patching controls, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has proven experience in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thanks very much for allowing me to get rested after we got past the initial push. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Minnetonka a range of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services include next-generation AI capability to uncover new strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to address the complete malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering through leading-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your organization's unique requirements and that helps you prove compliance with government and industry information security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate attention. Progent can also help you to install and test a backup and restore solution such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup processes and enable non-disruptive backup and rapid recovery of important files, applications, images, and VMs. ProSight DPS lets you recover from data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide centralized control and world-class protection for your email traffic. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device provides a further layer of analysis for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, reconfigure and debug their networking appliances such as routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by tracking the health of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management personnel and your assigned Progent consultant so all potential issues can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware solution without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis technology to guard endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the entire threat lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Call Desk managed services enable your IT team to offload Support Desk services to Progent or split responsibilities for Help Desk services seamlessly between your in-house network support team and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a seamless extension of your corporate support organization. Client interaction with the Help Desk, provision of support, escalation, ticket generation and updates, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are resolved by your internal IT support organization, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of all sizes a versatile and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your dynamic IT system. In addition to maximizing the protection and functionality of your computer environment, Progent's software/firmware update management services allow your IT team to focus on more strategic initiatives and activities that derive the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With 2FA, when you log into a protected online account and enter your password you are asked to confirm who you are via a device that only you have and that uses a different ("out-of-band") network channel. A wide range of devices can be utilized for this added form of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register multiple verification devices. For details about ProSight Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24x7x365 Minnetonka Crypto-Ransomware Remediation Support Services, contact Progent at 800-462-8800 or go to Contact Progent.