Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses poorly prepared for an attack. Multiple generations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and continue to inflict destruction. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as more unnamed malware, not only do encryption of on-line data but also infiltrate any configured system protection mechanisms. Information synchronized to cloud environments can also be encrypted. In a poorly designed data protection solution, this can make automatic restoration impossible and effectively sets the datacenter back to zero.

Getting back online applications and data following a crypto-ransomware attack becomes a sprint against time as the victim tries its best to contain the damage and clear the ransomware and to restore mission-critical activity. Since ransomware requires time to move laterally, penetrations are usually sprung at night, when successful penetrations are likely to take longer to discover. This compounds the difficulty of promptly assembling and organizing a knowledgeable mitigation team.

Progent provides an assortment of solutions for securing businesses from ransomware attacks. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to identify and extinguish new threats intelligently. Progent in addition provides the services of expert crypto-ransomware recovery engineers with the talent and commitment to reconstruct a breached system as rapidly as possible.

Progent's Ransomware Restoration Help
Subsequent to a crypto-ransomware event, paying the ransom in cryptocurrency does not ensure that cyber hackers will respond with the needed keys to decipher any of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to setup from scratch the vital parts of your Information Technology environment. Without the availability of full system backups, this requires a wide range of IT skills, professional team management, and the willingness to work continuously until the task is completed.

For twenty years, Progent has made available expert IT services for businesses in Allentown and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience affords Progent the skills to rapidly determine important systems and consolidate the remaining pieces of your computer network system following a ransomware penetration and assemble them into a functioning system.

Progent's recovery group uses best of breed project management tools to orchestrate the complicated recovery process. Progent understands the importance of working swiftly and in concert with a customer's management and IT staff to prioritize tasks and to put critical systems back online as soon as humanly possible.

Client Story: A Successful Ransomware Incident Restoration
A small business engaged Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored hackers, suspected of adopting approaches leaked from the U.S. NSA organization. Ryuk goes after specific organizations with limited ability to sustain disruption and is among the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area and has around 500 staff members. The Ryuk penetration had paralyzed all company operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but in the end brought in Progent.


"I cannot tell you enough about the care Progent gave us throughout the most stressful period of (our) company's existence. We had little choice but to pay the cybercriminals if not for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and key applications back on-line faster than seven days was amazing. Each person I got help from or texted at Progent was totally committed on getting us operational and was working breakneck pace to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the mission critical elements that needed to be recovered in order to restart company functions:

  • Active Directory
  • Exchange Server
  • MRP System
To get going, Progent adhered to ransomware event response industry best practices by halting lateral movement and cleaning up infected systems. Progent then started the process of recovering Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the businesses' financials and MRP system leveraged Microsoft SQL, which depends on Active Directory services for authentication to the data.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then initiated rebuilding and storage recovery of mission critical servers. All Exchange schema and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Offline Folder Files) on team workstations in order to recover email messages. A recent offline backup of the client's financials/ERP software made them able to restore these required applications back servicing users. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, critical systems were returned to operations quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer deliverables."

Over the following few weeks important milestones in the recovery project were completed through close collaboration between Progent team members and the client:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the user desktops and notebooks were fully operational.

"So much of what occurred those first few days is mostly a fog for me, but we will not forget the urgency each and every one of your team accomplished to give us our business back. I have utilized Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This time was the most impressive ever."

Conclusion
A probable business-killing catastrophe was averted through the efforts of top-tier experts, a broad array of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware incident described here should have been shut down with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well designed security procedures for data backup and applying software patches, the reality is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for allowing me to get rested after we made it over the initial fire. Everyone did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Allentown a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize modern artificial intelligence capability to uncover zero-day variants of crypto-ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the entire threat progression including filtering, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can help you to plan and configure a ProSight ESP environment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup processes and enable non-disruptive backup and fast restoration of critical files/folders, applications, system images, plus VMs. ProSight DPS lets your business avoid data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user error, ill-intentioned insiders, or software bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to provide centralized management and world-class security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper level of analysis for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, monitor, optimize and debug their networking appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT staff and your assigned Progent engineering consultant so that any looming issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether you're planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior analysis tools to guard endpoints as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching AV products. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to manage the complete threat progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Help Center managed services allow your information technology team to outsource Call Center services to Progent or split responsibilities for support services seamlessly between your in-house network support staff and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless extension of your in-house IT support staff. Client access to the Service Desk, delivery of support, escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your corporate support group, by Progent's team, or both. Learn more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective solution for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT network. In addition to maximizing the protection and functionality of your computer network, Progent's patch management services permit your in-house IT team to focus on line-of-business initiatives and activities that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Android, and other personal devices. Using 2FA, whenever you log into a protected application and give your password you are asked to confirm your identity via a unit that only you possess and that uses a separate network channel. A broad selection of devices can be used for this second means of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You can register several verification devices. To learn more about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of in-depth reporting utilities designed to integrate with the top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Allentown Crypto Remediation Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.