Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that poses an existential danger for organizations vulnerable to an assault. Multiple generations of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as more as yet unnamed viruses, not only encrypt online information but also infiltrate many configured system restores and backups. Files synchronized to the cloud can also be rendered useless. In a poorly architected system, it can make automatic restore operations hopeless and effectively sets the entire system back to square one.

Retrieving programs and information following a crypto-ransomware event becomes a race against time as the targeted organization struggles to contain and cleanup the virus and to restore mission-critical operations. Since crypto-ransomware takes time to spread, attacks are usually launched on weekends and holidays, when penetrations tend to take longer to uncover. This compounds the difficulty of quickly mobilizing and organizing an experienced response team.

Progent makes available an assortment of help services for securing enterprises from ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus installation of next-generation security appliances with AI technology from SentinelOne to discover and suppress day-zero threats intelligently. Progent also provides the assistance of experienced crypto-ransomware recovery professionals with the talent and perseverance to restore a breached system as quickly as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the codes to decrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the vital parts of your Information Technology environment. Absent the availability of essential system backups, this requires a broad range of IT skills, top notch team management, and the willingness to work 24x7 until the task is over.

For decades, Progent has made available professional Information Technology services for companies in Denver and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security experts have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to efficiently determine important systems and consolidate the surviving components of your computer network system after a ransomware penetration and configure them into a functioning system.

Progent's security team of experts has top notch project management systems to coordinate the complicated recovery process. Progent knows the importance of acting swiftly and in concert with a customer�s management and Information Technology team members to assign priority to tasks and to put critical applications back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Recovery
A business engaged Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state criminal gangs, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk seeks specific companies with limited tolerance for operational disruption and is one of the most profitable examples of ransomware malware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago and has around 500 workers. The Ryuk event had disabled all company operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the intrusion and were damaged. The client considered paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.


"I cannot tell you enough about the support Progent gave us throughout the most fearful period of (our) businesses life. We would have paid the cybercriminals except for the confidence the Progent team afforded us. That you were able to get our e-mail and key applications back on-line quicker than one week was amazing. Every single staff member I worked with or communicated with at Progent was totally committed on getting us working again and was working non-stop on our behalf."

Progent worked together with the client to quickly get our arms around and assign priority to the key elements that needed to be addressed to make it possible to restart company functions:

  • Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent followed ransomware penetration response best practices by stopping the spread and removing active viruses. Progent then began the steps of recovering Microsoft Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the businesses� accounting and MRP system used SQL Server, which depends on Active Directory for access to the data.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery on essential applications. All Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate non-encrypted OST data files (Outlook Email Off-Line Folder Files) on staff workstations and laptops in order to recover mail information. A recent offline backup of the customer�s financials/ERP software made it possible to return these vital services back online. Although a lot of work needed to be completed to recover fully from the Ryuk virus, the most important services were recovered quickly:


"For the most part, the production manufacturing operation never missed a beat and we made all customer sales."

Throughout the next month critical milestones in the recovery process were completed through close cooperation between Progent engineers and the customer:

  • Self-hosted web sites were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory functions were 100% functional.
  • A new Palo Alto 850 security appliance was brought online.
  • Most of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what happened that first week is nearly entirely a blur for me, but our team will not soon forget the countless hours all of you accomplished to help get our company back. I�ve trusted Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This time was a life saver."

Conclusion
A potential business disaster was dodged through the efforts of dedicated professionals, a wide array of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here could have been identified and disabled with modern security solutions and security best practices, user and IT administrator education, and properly executed incident response procedures for information protection and applying software patches, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thank you for making it so I could get rested after we made it past the initial push. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Denver a range of online monitoring and security assessment services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate modern AI technology to uncover zero-day variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-based AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a single platform to address the entire threat lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you prove compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also help your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and rapid restoration of vital files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural disasters, fire, malware such as ransomware, human mistakes, malicious employees, or software bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to deliver centralized management and comprehensive protection for all your inbound and outbound email. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further level of analysis for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, track, optimize and debug their networking appliances like routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when problems are detected. By automating complex network management activities, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, locating devices that need important software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the health of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your designated IT staff and your assigned Progent consultant so that all looming problems can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By updating and managing your network documentation, you can eliminate up to 50% of time spent looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youre planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates next generation behavior analysis technology to defend endpoints and servers and VMs against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including filtering, detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Help Desk managed services enable your IT group to outsource Call Center services to Progent or divide activity for support services seamlessly between your internal network support resources and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your in-house network support staff. End user interaction with the Service Desk, delivery of technical assistance, issue escalation, ticket generation and updates, efficiency metrics, and management of the support database are cohesive regardless of whether issues are resolved by your in-house IT support organization, by Progent, or both. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic IT system. Besides optimizing the security and reliability of your computer environment, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business projects and tasks that deliver maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo supports one-tap identity verification on iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a secured application and enter your password you are requested to verify your identity via a unit that only you have and that uses a different network channel. A broad range of out-of-band devices can be utilized as this second form of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You may register several validation devices. For details about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 Denver Ransomware Recovery Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.