Crypto-Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that presents an enterprise-level danger for organizations poorly prepared for an assault. Different iterations of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and still cause destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus daily unnamed viruses, not only do encryption of on-line files but also infiltrate many available system backups. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed system, this can render any restoration useless and effectively knocks the network back to square one.

Getting back applications and information after a crypto-ransomware outage becomes a sprint against time as the targeted organization tries its best to stop the spread and cleanup the crypto-ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware requires time to move laterally, assaults are frequently launched on weekends, when successful penetrations are likely to take longer to uncover. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.

Progent offers a variety of support services for securing organizations from ransomware penetrations. These include user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with AI technology from SentinelOne to discover and quarantine day-zero cyber attacks automatically. Progent also can provide the assistance of seasoned ransomware recovery professionals with the skills and commitment to re-deploy a breached environment as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware event, paying the ransom demands in cryptocurrency does not ensure that distant criminals will respond with the codes to unencrypt any or all of your data. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the mission-critical elements of your IT environment. Absent access to full system backups, this requires a broad complement of IT skills, well-coordinated project management, and the capability to work non-stop until the recovery project is done.

For twenty years, Progent has made available professional Information Technology services for companies in Los Angeles and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of expertise provides Progent the capability to rapidly determine necessary systems and re-organize the surviving pieces of your network system following a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts uses state-of-the-art project management systems to coordinate the complicated recovery process. Progent knows the urgency of working rapidly and in concert with a customer�s management and Information Technology staff to prioritize tasks and to get the most important applications back on-line as soon as humanly possible.

Business Case Study: A Successful Ransomware Incident Recovery
A business hired Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored cybercriminals, suspected of adopting algorithms exposed from the United States National Security Agency. Ryuk seeks specific companies with little or no tolerance for operational disruption and is among the most profitable instances of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with about 500 employees. The Ryuk event had shut down all business operations and manufacturing processes. Most of the client's data backups had been directly accessible at the time of the attack and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I cannot tell you enough in regards to the support Progent provided us during the most critical time of (our) company�s existence. We would have paid the Hackers except for the confidence the Progent experts gave us. That you could get our messaging and key applications back into operation faster than seven days was earth shattering. Every single person I talked with or messaged at Progent was laser focused on getting our system up and was working at all hours on our behalf."

Progent worked with the client to quickly get our arms around and prioritize the critical applications that needed to be restored to make it possible to continue business operations:

  • Microsoft Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent followed AV/Malware Processes penetration response industry best practices by stopping the spread and disinfecting systems. Progent then initiated the steps of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not operate without Active Directory, and the businesses� MRP applications utilized Microsoft SQL Server, which needs Active Directory services for authentication to the database.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and hard drive recovery on the most important servers. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Offline Folder Files) on team PCs and laptops to recover mail information. A not too old off-line backup of the businesses accounting/MRP software made them able to restore these required applications back available to users. Although a lot of work needed to be completed to recover fully from the Ryuk damage, critical systems were recovered quickly:


"For the most part, the assembly line operation was never shut down and we delivered all customer shipments."

Throughout the next month important milestones in the restoration project were made in tight collaboration between Progent team members and the customer:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Exchange Server with over four million archived messages was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Nearly all of the user desktops were functioning as before the incident.

"So much of what was accomplished that first week is mostly a blur for me, but my team will not forget the dedication each and every one of your team put in to give us our company back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A possible business-killing disaster was averted through the efforts of hard-working professionals, a wide array of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here should have been identified and disabled with modern cyber security technology and NIST Cybersecurity Framework best practices, staff education, and well thought out security procedures for backup and applying software patches, the reality remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus blocking, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thanks very much for letting me get some sleep after we got past the most critical parts. All of you did an incredible effort, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Los Angeles a variety of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI capability to uncover zero-day variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to manage the entire threat lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering via leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup processes and allow non-disruptive backup and rapid restoration of vital files, apps, system images, plus virtual machines. ProSight DPS helps you recover from data loss resulting from equipment failures, natural calamities, fire, malware such as ransomware, human error, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to provide web-based management and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their networking hardware like switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that network diagrams are kept updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that require critical software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so any potential problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youre planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis technology to guard endpoint devices as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the complete malware attack progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Help Desk services permit your information technology team to outsource Call Center services to Progent or divide activity for Service Desk support transparently between your internal network support staff and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent extension of your core network support staff. User access to the Help Desk, delivery of support, issue escalation, ticket generation and tracking, performance measurement, and maintenance of the support database are cohesive whether issues are resolved by your internal support organization, by Progent, or by a combination. Find out more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving information system. Besides optimizing the security and reliability of your IT environment, Progent's patch management services free up time for your IT team to concentrate on more strategic projects and tasks that derive the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Android, and other personal devices. With 2FA, when you sign into a secured application and enter your password you are asked to confirm who you are via a unit that only you possess and that is accessed using a separate network channel. A broad selection of devices can be used as this second form of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You can designate several verification devices. To find out more about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.
For Los Angeles 24x7x365 Crypto Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.