Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different versions of crypto-ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for many years and still inflict destruction. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus frequent as yet unnamed viruses, not only do encryption of on-line data but also infiltrate many accessible system backups. Files replicated to cloud environments can also be rendered useless. In a poorly architected environment, this can make automated restore operations impossible and basically knocks the entire system back to square one.

Getting back applications and data after a ransomware intrusion becomes a race against time as the victim fights to contain and cleanup the ransomware and to resume business-critical operations. Due to the fact that ransomware takes time to move laterally, attacks are frequently launched during nights and weekends, when attacks are likely to take longer to discover. This compounds the difficulty of quickly marshalling and coordinating a capable mitigation team.

Progent makes available a range of services for securing businesses from crypto-ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with machine learning technology from SentinelOne to identify and quarantine day-zero threats rapidly. Progent also offers the services of expert ransomware recovery engineers with the talent and commitment to reconstruct a breached system as rapidly as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed codes to decrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the vital parts of your Information Technology environment. Absent the availability of full system backups, this requires a wide complement of skills, top notch project management, and the ability to work continuously until the job is complete.

For twenty years, Progent has offered professional IT services for companies in Charlotte and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP applications. This breadth of experience gives Progent the ability to efficiently understand critical systems and organize the remaining parts of your IT system after a ransomware attack and rebuild them into an operational system.

Progent's security group utilizes state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of acting swiftly and together with a client's management and Information Technology resources to prioritize tasks and to get key systems back online as fast as possible.

Client Story: A Successful Ransomware Virus Restoration
A customer engaged Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, suspected of using technology leaked from the United States NSA organization. Ryuk seeks specific businesses with little room for disruption and is among the most profitable versions of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago with about 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the time of the attack and were encrypted. The client was pursuing financing for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but ultimately reached out to Progent.


"I cannot thank you enough about the support Progent provided us throughout the most critical time of (our) company's survival. We may have had to pay the Hackers if not for the confidence the Progent group provided us. That you could get our messaging and production servers back sooner than one week was something I thought impossible. Every single staff member I worked with or messaged at Progent was absolutely committed on getting my company operational and was working 24/7 on our behalf."

Progent worked hand in hand the client to quickly understand and prioritize the most important elements that had to be restored in order to resume company functions:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed Anti-virus incident response best practices by stopping lateral movement and clearing infected systems. Progent then initiated the steps of recovering Windows Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the businesses' financials and MRP system utilized Microsoft SQL, which depends on Active Directory for authentication to the database.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then completed setup and hard drive recovery on critical applications. All Exchange data and configuration information were intact, which accelerated the restore of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Off-Line Folder Files) on team PCs and laptops in order to recover mail messages. A recent off-line backup of the businesses financials/MRP systems made it possible to restore these required services back online. Although a large amount of work was left to recover fully from the Ryuk event, critical services were returned to operations rapidly:


"For the most part, the production line operation was never shut down and we made all customer sales."

During the next couple of weeks key milestones in the recovery project were achieved in tight cooperation between Progent team members and the customer:

  • Internal web applications were restored without losing any data.
  • The MailStore Server exceeding four million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory capabilities were completely functional.
  • A new Palo Alto 850 security appliance was deployed.
  • Most of the desktops and laptops were being used by staff.

"A lot of what happened that first week is nearly entirely a fog for me, but my team will not soon forget the countless hours all of you accomplished to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a stunning achievement."

Conclusion
A probable enterprise-killing disaster was averted with results-oriented professionals, a broad array of technical expertise, and close collaboration. Although in hindsight the ransomware virus penetration detailed here should have been identified and prevented with modern cyber security systems and ISO/IEC 27001 best practices, user training, and properly executed security procedures for data protection and applying software patches, the reality remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for allowing me to get rested after we got over the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Charlotte a range of online monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services incorporate modern artificial intelligence technology to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to manage the complete threat lifecycle including protection, infiltration detection, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge tools packaged within one agent managed from a unified control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your backup operations and allow transparent backup and rapid recovery of vital files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned employees, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to deliver web-based control and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps most threats from making it to your network firewall. This reduces your exposure to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device provides a further level of inspection for incoming email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, enhance and troubleshoot their connectivity hardware like routers, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are kept updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can knock hours off ordinary chores such as network mapping, expanding your network, finding devices that need critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by tracking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT personnel and your Progent engineering consultant so all potential issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported immediately to a different hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can save up to half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior analysis technology to defend endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to manage the complete threat progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Desk managed services allow your IT staff to outsource Call Center services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house network support resources and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth supplement to your internal IT support organization. End user interaction with the Service Desk, delivery of support, escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your in-house support group, by Progent, or both. Find out more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving information network. Besides maximizing the security and reliability of your computer environment, Progent's patch management services allow your IT team to focus on more strategic projects and tasks that derive the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against password theft by using two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Android, and other personal devices. With Duo 2FA, when you log into a secured application and enter your password you are requested to confirm your identity via a unit that only you have and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register several validation devices. For details about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of in-depth reporting utilities created to integrate with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Charlotte Crypto Cleanup Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.