Crypto-Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an existential threat for businesses of all sizes poorly prepared for an assault. Multiple generations of crypto-ransomware like the Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for many years and still inflict havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily as yet unnamed malware, not only encrypt on-line critical data but also infect all available system protection mechanisms. Data synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can make automated restore operations impossible and effectively knocks the entire system back to zero.

Recovering applications and information following a crypto-ransomware outage becomes a race against the clock as the victim struggles to contain and cleanup the ransomware and to resume enterprise-critical operations. Because ransomware needs time to replicate, attacks are frequently sprung during nights and weekends, when penetrations may take longer to discover. This multiplies the difficulty of quickly mobilizing and organizing a capable response team.

Progent provides an assortment of help services for securing enterprises from crypto-ransomware events. These include team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with machine learning technology from SentinelOne to detect and extinguish zero-day cyber threats quickly. Progent in addition can provide the assistance of expert crypto-ransomware recovery consultants with the talent and commitment to rebuild a compromised environment as soon as possible.

Progent's Ransomware Restoration Help
Following a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the needed keys to decipher any of your information. Kaspersky estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the vital elements of your Information Technology environment. Without access to complete data backups, this calls for a broad complement of skill sets, professional project management, and the capability to work non-stop until the job is finished.

For twenty years, Progent has provided professional Information Technology services for companies in Denver and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably identify critical systems and integrate the surviving pieces of your Information Technology environment after a ransomware event and assemble them into an operational system.

Progent's ransomware group uses powerful project management tools to coordinate the complicated recovery process. Progent knows the importance of working quickly and in concert with a client's management and Information Technology team members to assign priority to tasks and to get the most important applications back on-line as soon as possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A business contacted Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state sponsored criminal gangs, possibly using technology exposed from the U.S. National Security Agency. Ryuk targets specific organizations with little room for operational disruption and is one of the most lucrative versions of ransomware malware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in Chicago with about 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the time of the intrusion and were destroyed. The client considered paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.


"I can't say enough about the care Progent gave us throughout the most fearful time of (our) businesses survival. We would have paid the Hackers except for the confidence the Progent group provided us. The fact that you were able to get our e-mail system and important applications back quicker than a week was amazing. Each expert I talked with or messaged at Progent was totally committed on getting us back online and was working day and night to bail us out."

Progent worked with the client to quickly determine and prioritize the most important elements that needed to be restored to make it possible to resume departmental operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent adhered to ransomware event response best practices by stopping the spread and performing virus removal steps. Progent then initiated the steps of restoring Windows Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the customer's MRP software utilized Microsoft SQL Server, which requires Windows AD for security authorization to the data.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then accomplished rebuilding and storage recovery of essential applications. All Microsoft Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Offline Folder Files) on user desktop computers to recover email data. A not too old off-line backup of the customer's accounting/ERP systems made it possible to restore these required services back online for users. Although significant work still had to be done to recover fully from the Ryuk damage, the most important systems were restored rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer deliverables."

Throughout the next month important milestones in the recovery project were accomplished through close collaboration between Progent consultants and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Exchange Server exceeding 4 million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the user desktops and notebooks were operational.

"So much of what was accomplished those first few days is mostly a blur for me, but my team will not forget the care each of you accomplished to help get our business back. I have been working together with Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A probable business-ending catastrophe was averted by results-oriented professionals, a wide spectrum of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here should have been disabled with modern security technology and security best practices, user education, and well thought out security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), I'm grateful for letting me get rested after we made it past the most critical parts. All of you did an amazing effort, and if any of your team is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Denver a range of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services utilize next-generation machine learning capability to uncover zero-day variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire threat progression including protection, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate attention. Progent's consultants can also help your company to set up and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology companies to create ProSight Data Protection Services (DPS), a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your data backup operations and allow non-disruptive backup and rapid restoration of important files/folders, apps, system images, plus VMs. ProSight DPS helps your business recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or software bugs. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to provide web-based management and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, track, enhance and debug their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, locating appliances that require important updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management personnel and your Progent consultant so that any potential issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis tools to defend endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Call Desk managed services enable your IT staff to outsource Help Desk services to Progent or divide responsibilities for support services seamlessly between your in-house network support team and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your corporate network support group. User interaction with the Help Desk, delivery of technical assistance, escalation, ticket generation and tracking, efficiency measurement, and management of the support database are consistent whether issues are taken care of by your core IT support organization, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and affordable alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. In addition to optimizing the security and functionality of your computer network, Progent's patch management services free up time for your in-house IT team to focus on more strategic projects and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. With 2FA, whenever you sign into a protected online account and enter your password you are requested to confirm your identity on a unit that only you possess and that is accessed using a separate network channel. A broad selection of devices can be utilized for this second form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. To learn more about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time management reporting tools created to integrate with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7 Denver Crypto Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.