Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for organizations unprepared for an assault. Different versions of ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and continue to cause harm. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as daily as yet unnamed malware, not only encrypt on-line critical data but also infect most accessible system backup. Files synchronized to cloud environments can also be corrupted. In a poorly designed data protection solution, this can render any recovery hopeless and effectively sets the datacenter back to zero.

Getting back services and information following a ransomware attack becomes a race against time as the victim tries its best to stop lateral movement and eradicate the ransomware and to restore business-critical operations. Due to the fact that ransomware needs time to replicate, assaults are often launched on weekends and holidays, when successful attacks in many cases take longer to recognize. This compounds the difficulty of rapidly mobilizing and coordinating a capable response team.

Progent offers a variety of support services for securing businesses from ransomware penetrations. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI capabilities from SentinelOne to identify and suppress new cyber attacks automatically. Progent also offers the assistance of veteran crypto-ransomware recovery engineers with the skills and commitment to restore a breached network as rapidly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will respond with the needed keys to decrypt all your data. Kaspersky estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the key components of your Information Technology environment. Without the availability of complete information backups, this calls for a broad complement of skill sets, well-coordinated project management, and the capability to work 24x7 until the task is finished.

For two decades, Progent has offered expert Information Technology services for businesses in Charlotte and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of experience provides Progent the ability to rapidly ascertain important systems and organize the remaining parts of your network environment following a ransomware penetration and rebuild them into a functioning system.

Progent's ransomware team utilizes top notch project management tools to orchestrate the complicated restoration process. Progent understands the importance of acting rapidly and in concert with a customer's management and Information Technology resources to assign priority to tasks and to put essential services back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Incident Recovery
A client hired Progent after their network was crashed by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored hackers, suspected of adopting strategies leaked from America's National Security Agency. Ryuk goes after specific businesses with little or no room for disruption and is among the most lucrative incarnations of ransomware malware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business located in Chicago with about 500 staff members. The Ryuk event had brought down all essential operations and manufacturing processes. Most of the client's information backups had been online at the start of the intrusion and were destroyed. The client considered paying the ransom demand (more than $200K) and praying for good luck, but ultimately made the decision to use Progent.


"I cannot say enough about the expertise Progent provided us throughout the most critical period of (our) businesses survival. We had little choice but to pay the cyber criminals if it wasn't for the confidence the Progent group provided us. That you were able to get our messaging and critical servers back online faster than one week was beyond my wildest dreams. Every single staff member I interacted with or texted at Progent was amazingly focused on getting my company operational and was working day and night on our behalf."

Progent worked with the client to rapidly understand and assign priority to the key elements that had to be recovered in order to restart company functions:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus incident response best practices by isolating and removing active viruses. Progent then initiated the work of restoring Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not work without AD, and the client's MRP software used Microsoft SQL Server, which depends on Windows AD for access to the database.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery of needed applications. All Exchange data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to assemble intact OST data files (Microsoft Outlook Offline Folder Files) on various desktop computers to recover email information. A not too old off-line backup of the customer's financials/ERP systems made them able to recover these essential programs back available to users. Although a large amount of work remained to recover fully from the Ryuk attack, essential systems were restored quickly:


"For the most part, the production operation never missed a beat and we delivered all customer shipments."

During the next few weeks critical milestones in the restoration project were completed through tight cooperation between Progent team members and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server exceeding four million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user desktops and notebooks were operational.

"A huge amount of what was accomplished that first week is mostly a haze for me, but we will not soon forget the dedication each of your team accomplished to give us our business back. I have been working with Progent for the past 10 years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This event was a life saver."

Conclusion
A potential enterprise-killing disaster was dodged due to dedicated experts, a wide array of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here would have been identified and disabled with modern security systems and recognized best practices, staff training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thanks very much for allowing me to get some sleep after we got past the initial fire. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Charlotte a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence technology to uncover zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily evade legacy signature-matching AV products. ProSight ASM protects local and cloud resources and offers a unified platform to manage the entire threat lifecycle including protection, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that meets your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also assist your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and monitor your backup operations and allow non-disruptive backup and fast restoration of critical files, apps, images, plus virtual machines. ProSight DPS lets you protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security companies to provide web-based control and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their networking hardware such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always updated, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that need important software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so all potential problems can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to defend endpoints and servers and VMs against new malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to manage the entire threat progression including protection, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Help Desk managed services allow your IT group to outsource Call Center services to Progent or divide responsibilities for support services seamlessly between your in-house network support staff and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless extension of your core network support organization. User interaction with the Service Desk, provision of support, issue escalation, ticket creation and updates, efficiency measurement, and management of the service database are cohesive whether incidents are taken care of by your internal support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your dynamic IT system. Besides maximizing the security and functionality of your computer environment, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on more strategic projects and tasks that deliver the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected online account and give your password you are requested to verify your identity via a unit that only you possess and that is accessed using a separate network channel. A broad range of devices can be utilized as this second form of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate multiple validation devices. For more information about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services.
For Charlotte 24-7 Crypto-Ransomware Remediation Services, call Progent at 800-462-8800 or go to Contact Progent.