Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an extinction-level threat for businesses of all sizes poorly prepared for an attack. Multiple generations of ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and continue to cause destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with daily unnamed viruses, not only do encryption of online critical data but also infect all configured system backups. Information synched to the cloud can also be ransomed. In a vulnerable environment, it can make any restore operations hopeless and basically knocks the entire system back to square one.

Getting back on-line applications and information following a ransomware intrusion becomes a race against the clock as the victim struggles to contain the damage and cleanup the virus and to resume enterprise-critical activity. Since ransomware takes time to replicate, penetrations are often sprung on weekends, when successful penetrations may take more time to discover. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.

Progent has a range of support services for protecting enterprises from ransomware attacks. Among these are team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence capabilities from SentinelOne to identify and disable day-zero threats intelligently. Progent in addition offers the services of seasoned ransomware recovery professionals with the talent and commitment to rebuild a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
Soon after a crypto-ransomware penetration, sending the ransom in cryptocurrency does not guarantee that criminal gangs will return the keys to unencrypt any or all of your information. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the essential components of your IT environment. Absent access to essential system backups, this calls for a wide range of skill sets, top notch project management, and the willingness to work continuously until the job is completed.

For twenty years, Progent has made available expert Information Technology services for businesses in Allentown and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise affords Progent the skills to efficiently ascertain necessary systems and integrate the surviving components of your Information Technology system after a ransomware attack and assemble them into a functioning system.

Progent's recovery team of experts has powerful project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and IT resources to prioritize tasks and to put critical systems back on-line as soon as possible.

Customer Case Study: A Successful Ransomware Virus Recovery
A customer contacted Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean state hackers, suspected of adopting strategies leaked from the United States NSA organization. Ryuk targets specific organizations with little or no ability to sustain operational disruption and is one of the most lucrative examples of ransomware viruses. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in Chicago with around 500 employees. The Ryuk penetration had paralyzed all company operations and manufacturing processes. The majority of the client's backups had been directly accessible at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end engaged Progent.


"I cannot speak enough about the help Progent gave us during the most critical time of (our) businesses life. We most likely would have paid the criminal gangs if it wasn�t for the confidence the Progent group afforded us. The fact that you could get our e-mail and key servers back faster than 1 week was incredible. Each expert I talked with or messaged at Progent was amazingly focused on getting us operational and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly assess and assign priority to the critical applications that needed to be addressed in order to resume business operations:

  • Active Directory
  • Email
  • Financials/MRP
To start, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then began the task of rebuilding Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Active Directory, and the client's MRP software leveraged Microsoft SQL Server, which requires Active Directory services for security authorization to the database.

In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery of key applications. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on user workstations in order to recover mail messages. A not too old off-line backup of the customer�s accounting/MRP software made it possible to recover these essential services back on-line. Although a lot of work remained to recover totally from the Ryuk attack, essential systems were restored quickly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer shipments."

Over the following couple of weeks critical milestones in the restoration project were made through close cooperation between Progent team members and the customer:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory modules were 100% operational.
  • A new Palo Alto 850 security appliance was brought online.
  • 90% of the user PCs were fully operational.

"A lot of what went on in the early hours is mostly a blur for me, but we will not forget the commitment each of you accomplished to help get our company back. I have utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A likely enterprise-killing disaster was dodged by hard-working experts, a wide array of knowledge, and tight teamwork. Although in post mortem the crypto-ransomware virus attack detailed here could have been blocked with up-to-date cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for information protection and applying software patches, the fact is that state-sponsored cybercriminals from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we got over the initial push. All of you did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Allentown a variety of remote monitoring and security assessment services to help you to reduce the threat from ransomware. These services include modern artificial intelligence capability to detect zero-day strains of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to manage the complete malware attack lifecycle including blocking, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a single control. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your organization's unique needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a selection of offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and enable non-disruptive backup and fast restoration of important files, applications, images, plus virtual machines. ProSight DPS lets your business protect against data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, human error, ill-intentioned insiders, or software bugs. Managed backup services in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to provide centralized control and comprehensive security for your email traffic. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, monitor, enhance and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that network maps are always current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating complex management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, locating devices that need important software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT personnel and your assigned Progent consultant so any potential problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youre planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning tools to defend endpoints and physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. Progent ASM services safeguard local and cloud-based resources and offers a unified platform to address the complete threat progression including filtering, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Help Center managed services permit your IT staff to outsource Call Center services to Progent or divide responsibilities for support services transparently between your in-house support staff and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a transparent supplement to your core IT support team. User interaction with the Service Desk, delivery of support, escalation, ticket creation and updates, efficiency measurement, and management of the service database are consistent whether issues are taken care of by your internal IT support organization, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking updates to your dynamic IT network. In addition to maximizing the security and reliability of your IT network, Progent's software/firmware update management services permit your IT staff to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity verification on iOS, Android, and other personal devices. With 2FA, whenever you sign into a protected online account and give your password you are asked to verify who you are on a unit that only you possess and that uses a separate network channel. A broad range of out-of-band devices can be used for this second form of ID validation such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. For more information about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.
For Allentown 24-Hour Ransomware Recovery Consulting, contact Progent at 800-462-8800 or go to Contact Progent.