Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an extinction-level threat for businesses vulnerable to an attack. Multiple generations of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as more as yet unnamed malware, not only do encryption of on-line information but also infect most accessible system protection mechanisms. Information synchronized to the cloud can also be corrupted. In a vulnerable data protection solution, this can render automatic restore operations useless and effectively knocks the network back to square one.

Getting back online applications and information after a ransomware event becomes a race against time as the targeted business tries its best to contain the damage, clear the ransomware, and resume mission-critical operations. Since crypto-ransomware takes time to move laterally, penetrations are often sprung on weekends and holidays, when successful penetrations are likely to take more time to detect. This multiplies the difficulty of rapidly marshalling and coordinating an experienced mitigation team.

Progent has a variety of help services for securing enterprises from crypto-ransomware attacks. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with machine learning technology from SentinelOne to detect and suppress zero-day cyber threats quickly. Progent in addition provides the services of veteran crypto-ransomware recovery professionals with the skills and perseverance to restore a breached environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Following a ransomware invasion, paying the ransom demands in cryptocurrency does not ensure that criminal gangs will return the needed codes to unencrypt all your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The fallback is to setup from scratch the critical parts of your IT environment. Without the availability of full data backups, this calls for a wide complement of skills, professional project management, and the ability to work continuously until the job is complete.

For two decades, Progent has made available expert Information Technology services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP applications. This breadth of expertise provides Progent the ability to quickly identify critical systems and consolidate the remaining components of your network system after a ransomware attack and assemble them into a functioning system.

Progent's recovery team deploys state-of-the-art project management systems to coordinate the complex restoration process. Progent understands the urgency of acting swiftly and together with a client's management and Information Technology resources to prioritize tasks and to get the most important services back on-line as soon as possible.

Business Case Study: A Successful Ransomware Incident Response
A small business escalated to Progent after their company was taken over by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state sponsored criminal gangs, suspected of adopting strategies leaked from the U.S. NSA organization. Ryuk seeks specific businesses with limited tolerance for operational disruption and is one of the most lucrative versions of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with about 500 workers. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end called Progent.


"I can't thank you enough in regards to the help Progent gave us during the most fearful period of (our) company's existence. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and critical applications back on-line faster than one week was incredible. Every single consultant I got help from or messaged at Progent was absolutely committed on getting us operational and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the critical applications that had to be restored to make it possible to restart departmental operations:

  • Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to ransomware incident response industry best practices by isolating and disinfecting systems. Progent then started the steps of recovering Active Directory, the key technology of enterprise networks built on Microsoft technology. Exchange messaging will not work without Active Directory, and the businesses' MRP system leveraged SQL Server, which needs Active Directory services for security authorization to the database.

Within 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then accomplished setup and hard drive recovery on mission critical systems. All Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers in order to recover mail data. A not too old off-line backup of the businesses accounting/ERP systems made it possible to recover these vital services back online. Although a lot of work was left to recover fully from the Ryuk event, critical services were restored rapidly:


"For the most part, the production line operation did not miss a beat and we made all customer sales."

During the following few weeks critical milestones in the recovery project were completed through close cooperation between Progent engineers and the client:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory capabilities were completely functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user desktops and notebooks were back into operation.

"Much of what was accomplished that first week is mostly a fog for me, but we will not forget the countless hours each of the team put in to give us our business back. I've been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This time was a testament to your capabilities."

Conclusion
A probable company-ending catastrophe was evaded with top-tier professionals, a broad spectrum of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware attack described here would have been identified and blocked with current cyber security technology and security best practices, user and IT administrator training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I'm grateful for letting me get some sleep after we made it through the most critical parts. Everyone did an incredible effort, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Lower Manhattan a range of online monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence capability to detect zero-day variants of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so any looming problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-driven solution for managing your network, server, and desktop devices by offering tools for performing common time-consuming jobs. These include health monitoring, patch management, automated remediation, endpoint configuration, backup and restore, A/V response, remote access, standard and custom scripts, asset inventory, endpoint status reports, and debugging help. If ProSight LAN Watch with NinjaOne RMM spots a serious problem, it transmits an alarm to your specified IT personnel and your Progent technical consultant so that emerging issues can be taken care of before they interfere with productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, optimize and troubleshoot their connectivity appliances such as switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are always current, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating devices that require important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time and in-depth reporting tools designed to work with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and allow transparent backup and rapid restoration of important files/folders, apps, images, and virtual machines. ProSight DPS helps you recover from data loss caused by equipment failures, natural calamities, fire, malware such as ransomware, user error, malicious employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to deliver centralized management and world-class protection for your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway device adds a further level of analysis for incoming email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo enables single-tap identity verification with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a secured application and give your password you are requested to verify who you are via a unit that only you possess and that uses a different network channel. A broad selection of devices can be utilized for this added means of authentication such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register multiple verification devices. To learn more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Help Desk services permit your information technology group to offload Help Desk services to Progent or divide activity for Help Desk services transparently between your in-house support group and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth extension of your internal network support staff. End user access to the Service Desk, delivery of technical assistance, problem escalation, ticket generation and updates, performance metrics, and maintenance of the service database are consistent whether issues are resolved by your internal support resources, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Call Desk services.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based machine learning technology to defend endpoints and physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus tools. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to address the entire threat progression including blocking, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of any size a versatile and cost-effective alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. Besides maximizing the protection and reliability of your IT environment, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business initiatives and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to address the entire malware attack progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified console. Progent's data protection and virtualization consultants can help you to design and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.
For 24-Hour Lower Manhattan Crypto Removal Consulting, contact Progent at 800-462-8800 or go to Contact Progent.