Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that poses an extinction-level threat for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware such as CrySIS, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause harm. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent unnamed viruses, not only do encryption of online data files but also infiltrate many configured system restores and backups. Data synched to cloud environments can also be ransomed. In a poorly architected environment, it can render automated recovery hopeless and effectively sets the network back to square one.

Retrieving programs and data following a crypto-ransomware event becomes a race against time as the targeted organization tries its best to contain and clear the virus and to resume mission-critical activity. Because crypto-ransomware needs time to replicate, penetrations are frequently sprung at night, when attacks tend to take more time to discover. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced response team.

Progent offers a range of services for protecting enterprises from crypto-ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security solutions with AI technology from SentinelOne to discover and disable zero-day threats rapidly. Progent also offers the services of veteran ransomware recovery engineers with the talent and commitment to restore a compromised environment as soon as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to unencrypt any or all of your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the key elements of your Information Technology environment. Absent the availability of complete system backups, this requires a wide complement of skill sets, well-coordinated project management, and the capability to work 24x7 until the recovery project is completed.

For two decades, Progent has provided certified expert IT services for businesses in Lubbock and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience affords Progent the capability to rapidly identify important systems and consolidate the remaining parts of your Information Technology system following a ransomware attack and assemble them into an operational system.

Progent's ransomware team uses top notch project management tools to coordinate the complicated recovery process. Progent understands the importance of working quickly and in unison with a client's management and Information Technology staff to prioritize tasks and to put essential applications back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Incident Response
A customer hired Progent after their network system was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, possibly adopting approaches exposed from the United States National Security Agency. Ryuk targets specific businesses with little ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately utilized Progent.


"I can't say enough about the help Progent gave us throughout the most fearful time of (our) businesses existence. We would have paid the cyber criminals if not for the confidence the Progent team gave us. That you were able to get our e-mail system and essential servers back into operation sooner than seven days was beyond my wildest dreams. Every single expert I talked with or communicated with at Progent was totally committed on getting us back online and was working 24/7 to bail us out."

Progent worked together with the customer to quickly understand and assign priority to the critical areas that needed to be addressed to make it possible to resume departmental operations:

  • Microsoft Active Directory
  • Email
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware incident mitigation best practices by isolating and disinfecting systems. Progent then started the task of restoring Microsoft AD, the foundation of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the client's financials and MRP system leveraged SQL Server, which needs Windows AD for access to the databases.

In less than 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then completed reinstallations and hard drive recovery on key servers. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Off-Line Data Files) on various workstations and laptops to recover email information. A recent off-line backup of the businesses accounting systems made them able to restore these vital services back online for users. Although major work needed to be completed to recover fully from the Ryuk event, critical services were recovered rapidly:


"For the most part, the production operation showed little impact and we did not miss any customer orders."

Over the following month important milestones in the recovery process were accomplished through tight cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than four million archived emails was brought on-line and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100% recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the desktops and laptops were back into operation.

"Much of what occurred in the initial days is nearly entirely a fog for me, but I will not forget the urgency each and every one of you accomplished to help get our business back. I have utilized Progent for the past 10 years, possibly more, and every time Progent has impressed me and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A likely business-ending disaster was avoided with dedicated experts, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the ransomware penetration detailed here would have been stopped with up-to-date cyber security systems and NIST Cybersecurity Framework best practices, team training, and well thought out incident response procedures for information protection and proper patching controls, the fact remains that government-sponsored hackers from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for making it so I could get rested after we made it through the most critical parts. All of you did an amazing effort, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Lubbock a portfolio of remote monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence technology to uncover new variants of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight ASM protects local and cloud resources and provides a single platform to address the complete malware attack progression including filtering, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that meets your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup operations and allow non-disruptive backup and rapid restoration of vital files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to provide web-based management and comprehensive security for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of analysis for inbound email. For outgoing email, the local security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, reconfigure and debug their networking appliances such as routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always updated, captures and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating tedious network management processes, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that require important software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) technology to help keep your network running at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your specified IT personnel and your Progent engineering consultant so any looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to defend endpoint devices and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and offers a unified platform to manage the entire threat progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Call Center services permit your IT team to outsource Support Desk services to Progent or split activity for support services transparently between your internal network support staff and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless supplement to your corporate support resources. End user access to the Help Desk, delivery of technical assistance, problem escalation, ticket generation and tracking, performance measurement, and management of the service database are cohesive whether incidents are resolved by your internal support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving information network. In addition to optimizing the security and functionality of your computer environment, Progent's patch management services allow your IT staff to concentrate on line-of-business initiatives and activities that deliver the highest business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo supports one-tap identity verification with Apple iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a secured application and enter your password you are asked to verify who you are via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be used for this second form of ID validation such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.
For Lubbock 24x7 CryptoLocker Remediation Help, reach out to Progent at 800-462-8800 or go to Contact Progent.