Crypto-Ransomware : Your Worst Information Technology Nightmare
Crypto-Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses poorly prepared for an attack. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict havoc. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with additional unnamed malware, not only encrypt on-line data files but also infiltrate many available system protection mechanisms. Files synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable data protection solution, this can render automated restore operations impossible and basically sets the datacenter back to zero.

Retrieving services and data following a ransomware attack becomes a sprint against the clock as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to resume business-critical activity. Since ransomware takes time to spread, attacks are often sprung on weekends and holidays, when attacks typically take more time to notice. This multiplies the difficulty of rapidly mobilizing and organizing a knowledgeable response team.

Progent provides a variety of services for securing businesses from ransomware attacks. Among these are team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security appliances with artificial intelligence technology from SentinelOne to identify and quarantine new cyber attacks quickly. Progent in addition provides the services of experienced ransomware recovery consultants with the talent and perseverance to restore a breached environment as quickly as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will return the codes to decipher any or all of your data. Kaspersky ascertained that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the essential parts of your Information Technology environment. Without the availability of full data backups, this calls for a broad range of skills, top notch team management, and the willingness to work 24x7 until the task is finished.

For two decades, Progent has made available expert Information Technology services for businesses in Joinville and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP software solutions. This breadth of expertise provides Progent the capability to rapidly identify important systems and organize the remaining components of your Information Technology environment after a ransomware attack and assemble them into an operational network.

Progent's recovery team utilizes powerful project management applications to coordinate the complex recovery process. Progent knows the urgency of acting quickly and together with a client's management and Information Technology staff to assign priority to tasks and to put key systems back on line as soon as humanly possible.

Client Story: A Successful Ransomware Intrusion Recovery
A business sought out Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored cybercriminals, suspected of using techniques exposed from the United States NSA organization. Ryuk seeks specific organizations with little room for disruption and is one of the most lucrative incarnations of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago and has around 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for good luck, but ultimately brought in Progent.


"I cannot tell you enough in regards to the help Progent provided us throughout the most stressful time of (our) businesses existence. We may have had to pay the hackers behind this attack except for the confidence the Progent experts gave us. The fact that you were able to get our messaging and critical servers back online sooner than seven days was something I thought impossible. Each consultant I spoke to or e-mailed at Progent was absolutely committed on getting us working again and was working breakneck pace to bail us out."

Progent worked together with the client to quickly understand and assign priority to the mission critical systems that had to be addressed to make it possible to restart business functions:

  • Active Directory
  • Email
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident response best practices by halting the spread and performing virus removal steps. Progent then began the task of restoring Active Directory, the key technology of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customer's accounting and MRP applications leveraged Microsoft SQL, which depends on Windows AD for authentication to the database.

Within two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and hard drive recovery on key servers. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations and laptops to recover mail information. A not too old offline backup of the client's manufacturing software made it possible to recover these vital services back available to users. Although a lot of work still had to be done to recover totally from the Ryuk virus, critical services were restored rapidly:


"For the most part, the production operation was never shut down and we delivered all customer orders."

Over the next month key milestones in the restoration project were accomplished through tight cooperation between Progent team members and the customer:

  • Internal web sites were restored without losing any information.
  • The MailStore Server containing more than four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Ninety percent of the user workstations were operational.

"A huge amount of what transpired in the early hours is mostly a blur for me, but our team will not forget the countless hours all of the team put in to help get our business back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This event was a life saver."

Conclusion
A potential business-ending disaster was evaded by hard-working professionals, a broad array of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here would have been disabled with current security systems and ISO/IEC 27001 best practices, user and IT administrator training, and well designed security procedures for information backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has proven experience in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for making it so I could get some sleep after we made it past the first week. All of you did an impressive job, and if any of your team is visiting the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Joinville a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services include modern artificial intelligence capability to uncover zero-day strains of crypto-ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily evade legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a single platform to automate the complete threat progression including protection, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP deployment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also help you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and enable transparent backup and fast restoration of important files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from equipment failures, natural calamities, fire, malware such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to deliver centralized control and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, track, enhance and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are always updated, captures and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management activities, WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding devices that require important software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent automatically to your designated IT staff and your assigned Progent consultant so all potential issues can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting solution without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save up to 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior analysis tools to defend endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-matching AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a single platform to automate the entire threat lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Support Desk services allow your information technology team to outsource Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house support group and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a seamless extension of your corporate support group. Client access to the Service Desk, delivery of support, issue escalation, trouble ticket generation and updates, performance measurement, and management of the service database are consistent whether issues are taken care of by your corporate IT support resources, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. Besides maximizing the security and functionality of your computer environment, Progent's patch management services allow your in-house IT staff to focus on line-of-business projects and tasks that derive the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity verification with iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a secured online account and enter your password you are asked to confirm who you are on a device that only you possess and that uses a different network channel. A broad range of out-of-band devices can be used as this second form of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several validation devices. To learn more about Duo two-factor identity validation services, see Duo MFA two-factor authentication services for access security.
For 24x7 Joinville CryptoLocker Repair Consultants, contact Progent at 800-462-8800 or go to Contact Progent.