Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that poses an existential danger for businesses vulnerable to an assault. Multiple generations of ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for years and still inflict havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily as yet unnamed malware, not only do encryption of on-line critical data but also infect any configured system backup. Files synched to the cloud can also be corrupted. In a vulnerable system, it can render any recovery hopeless and basically knocks the entire system back to square one.

Restoring programs and data after a crypto-ransomware attack becomes a sprint against time as the targeted organization tries its best to stop lateral movement and remove the crypto-ransomware and to restore mission-critical activity. Since ransomware takes time to replicate, penetrations are frequently sprung on weekends and holidays, when successful attacks may take longer to identify. This multiplies the difficulty of rapidly assembling and organizing a knowledgeable response team.

Progent makes available an assortment of support services for protecting businesses from crypto-ransomware attacks. Among these are team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with machine learning capabilities from SentinelOne to identify and disable new cyber attacks quickly. Progent also offers the assistance of veteran ransomware recovery engineers with the track record and perseverance to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Recovery Support Services
Following a ransomware penetration, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the needed codes to decrypt any or all of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the key parts of your Information Technology environment. Without the availability of complete system backups, this calls for a broad complement of IT skills, top notch project management, and the willingness to work continuously until the job is complete.

For twenty years, Progent has provided certified expert IT services for businesses in Charlotte and across the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise gives Progent the capability to knowledgably identify necessary systems and re-organize the surviving parts of your network environment following a crypto-ransomware event and configure them into an operational system.

Progent's security team utilizes powerful project management tools to coordinate the complex recovery process. Progent understands the importance of working swiftly and together with a client's management and IT resources to prioritize tasks and to put essential services back on line as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Virus Restoration
A client escalated to Progent after their network system was crashed by Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state sponsored hackers, possibly using technology leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little or no ability to sustain disruption and is among the most lucrative instances of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago and has about 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.


"I can't speak enough about the help Progent gave us throughout the most stressful time of (our) businesses survival. We may have had to pay the cybercriminals except for the confidence the Progent experts provided us. The fact that you could get our e-mail and key servers back online quicker than five days was earth shattering. Every single consultant I spoke to or messaged at Progent was hell bent on getting us restored and was working day and night to bail us out."

Progent worked hand in hand the client to quickly understand and prioritize the key areas that needed to be addressed to make it possible to resume business operations:

  • Active Directory
  • Electronic Messaging
  • Financials/MRP
To get going, Progent adhered to ransomware incident mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then began the work of bringing back online Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows technology. Exchange email will not operate without Active Directory, and the customer's financials and MRP software leveraged SQL Server, which depends on Active Directory for security authorization to the data.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and hard drive recovery of the most important systems. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to collect local OST data files (Microsoft Outlook Offline Data Files) on staff workstations and laptops to recover email messages. A not too old offline backup of the customer's financials/ERP software made them able to restore these vital services back online. Although a large amount of work remained to recover completely from the Ryuk attack, core services were restored rapidly:


"For the most part, the production manufacturing operation was never shut down and we did not miss any customer shipments."

Over the following few weeks important milestones in the recovery process were completed in tight cooperation between Progent team members and the customer:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Exchange Server containing more than four million historical emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100% functional.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the user workstations were functioning as before the incident.

"A lot of what occurred those first few days is nearly entirely a haze for me, but my team will not forget the countless hours all of your team put in to help get our business back. I've entrusted Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a Herculean accomplishment."

Conclusion
A potential company-ending catastrophe was avoided with dedicated experts, a broad range of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here would have been identified and disabled with up-to-date cyber security technology solutions and security best practices, user education, and properly executed incident response procedures for data protection and applying software patches, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has proven experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thanks very much for making it so I could get rested after we got past the most critical parts. Everyone did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Charlotte a portfolio of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize modern AI technology to detect zero-day variants of crypto-ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to automate the complete threat lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP environment that meets your company's specific needs and that helps you prove compliance with government and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent can also assist your company to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup software providers to create ProSight Data Protection Services, a selection of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow non-disruptive backup and fast restoration of critical files, apps, system images, and virtual machines. ProSight DPS helps you protect against data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide centralized control and world-class security for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of analysis for inbound email. For outgoing email, the local security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, track, optimize and debug their connectivity appliances like switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT personnel and your assigned Progent engineering consultant so that all potential issues can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard data related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to defend endpoints and servers and VMs against modern malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to manage the entire threat progression including blocking, identification, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Call Center services enable your IT group to offload Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal network support staff and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth extension of your in-house IT support organization. Client interaction with the Service Desk, delivery of support services, problem escalation, ticket generation and updates, performance measurement, and maintenance of the support database are cohesive regardless of whether issues are resolved by your core network support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of any size a flexible and affordable alternative for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. In addition to maximizing the security and functionality of your computer network, Progent's patch management services free up time for your IT team to concentrate on more strategic projects and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Android, and other out-of-band devices. With 2FA, when you sign into a secured online account and enter your password you are asked to verify your identity via a unit that only you have and that uses a separate network channel. A broad selection of out-of-band devices can be utilized for this second form of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You can register several verification devices. To learn more about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Charlotte 24-7 Crypto-Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.