Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that represents an existential threat for organizations poorly prepared for an assault. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for a long time and still cause havoc. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more unnamed viruses, not only do encryption of online information but also infect all accessible system backups. Information synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed system, it can make automatic restore operations useless and basically knocks the network back to square one.

Restoring programs and data after a crypto-ransomware outage becomes a race against the clock as the targeted organization tries its best to contain and cleanup the crypto-ransomware and to restore enterprise-critical activity. Because crypto-ransomware needs time to move laterally, penetrations are often launched on weekends and holidays, when successful attacks typically take longer to notice. This compounds the difficulty of quickly assembling and coordinating a qualified response team.

Progent has an assortment of support services for securing enterprises from ransomware events. These include team member education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with AI technology from SentinelOne to identify and suppress day-zero cyber threats automatically. Progent also provides the services of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a breached system as quickly as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed keys to decipher all your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to setup from scratch the key components of your IT environment. Without the availability of complete data backups, this requires a wide complement of IT skills, top notch project management, and the willingness to work non-stop until the task is finished.

For two decades, Progent has offered expert IT services for businesses in Lubbock and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of expertise gives Progent the skills to efficiently determine necessary systems and re-organize the surviving components of your network environment after a ransomware penetration and rebuild them into a functioning network.

Progent's recovery team uses state-of-the-art project management applications to orchestrate the complicated restoration process. Progent appreciates the urgency of acting rapidly and together with a customer's management and Information Technology resources to prioritize tasks and to put essential services back on-line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Recovery
A client engaged Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored hackers, suspected of adopting technology leaked from the United States National Security Agency. Ryuk goes after specific companies with little or no tolerance for disruption and is one of the most profitable examples of ransomware malware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. Most of the client's information backups had been online at the start of the attack and were damaged. The client considered paying the ransom demand (exceeding $200K) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot speak enough in regards to the help Progent provided us throughout the most stressful time of (our) businesses life. We most likely would have paid the Hackers if not for the confidence the Progent group provided us. That you could get our e-mail and critical servers back online quicker than one week was amazing. Every single staff member I spoke to or texted at Progent was amazingly focused on getting my company operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to rapidly understand and assign priority to the most important applications that had to be recovered in order to restart departmental operations:

  • Active Directory
  • Exchange Server
  • MRP System
To start, Progent followed Anti-virus event mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then began the process of recovering Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the client's MRP applications used SQL Server, which needs Active Directory services for access to the data.

In less than 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery on mission critical servers. All Exchange ties and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers in order to recover mail information. A not too old off-line backup of the businesses accounting software made them able to recover these essential applications back online for users. Although significant work was left to recover fully from the Ryuk attack, core systems were recovered rapidly:


"For the most part, the manufacturing operation was never shut down and we made all customer orders."

Throughout the next month key milestones in the recovery process were completed in close cooperation between Progent engineers and the customer:

  • Internal web applications were restored without losing any information.
  • The MailStore Server with over 4 million archived messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • 90% of the desktops and laptops were operational.

"A huge amount of what transpired that first week is nearly entirely a haze for me, but I will not forget the care each and every one of you put in to give us our company back. I've trusted Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable business disaster was avoided by top-tier professionals, a wide range of subject matter expertise, and close collaboration. Although in hindsight the ransomware incident described here could have been disabled with advanced security solutions and ISO/IEC 27001 best practices, staff education, and well designed security procedures for information backup and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has a proven track record in ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for making it so I could get some sleep after we got through the first week. Everyone did an amazing effort, and if any of your guys is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Lubbock a range of online monitoring and security evaluation services to assist you to minimize the threat from ransomware. These services incorporate modern AI technology to uncover zero-day variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to automate the entire malware attack lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also help you to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology providers to produce ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your backup operations and allow non-disruptive backup and rapid restoration of important files, apps, images, plus virtual machines. ProSight DPS lets you protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to provide web-based control and world-class security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of analysis for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept current, copies and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating complex management and troubleshooting activities, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding devices that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT staff and your assigned Progent consultant so any potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save up to 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to defend endpoint devices and servers and VMs against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud-based resources and offers a single platform to manage the entire threat progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Desk: Support Desk Managed Services
    Progent's Support Center managed services enable your IT staff to offload Support Desk services to Progent or divide activity for support services transparently between your internal support group and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless supplement to your internal network support team. Client access to the Service Desk, provision of support services, problem escalation, ticket generation and updates, performance metrics, and management of the service database are cohesive regardless of whether incidents are taken care of by your internal network support resources, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of all sizes a versatile and cost-effective solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the protection and reliability of your IT network, Progent's software/firmware update management services permit your in-house IT team to concentrate on line-of-business initiatives and activities that derive maximum business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. With 2FA, when you sign into a secured application and give your password you are asked to confirm your identity via a unit that only you have and that uses a different network channel. A wide selection of devices can be utilized for this second form of ID validation including a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To find out more about ProSight Duo identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time management reporting plug-ins designed to work with the leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Lubbock Crypto-Ransomware Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.