San Antonio 24-Hour Urgent Crypto-Ransomware
Infection Assessment and Recovery Support

Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware has become a too-frequent cyberplague that presents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Different iterations of ransomware like the CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict havoc. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as daily as yet unnamed malware, not only do encryption of online critical data but also infiltrate most accessible system protection mechanisms. Data replicated to cloud environments can also be encrypted. In a poorly designed environment, this can render any recovery useless and effectively knocks the network back to zero.

Recovering applications and data following a ransomware intrusion becomes a sprint against the clock as the victim tries its best to stop the spread and eradicate the ransomware and to resume business-critical operations. Since crypto-ransomware needs time to move laterally, assaults are frequently sprung on weekends and holidays, when successful attacks may take more time to uncover. This compounds the difficulty of quickly marshalling and organizing a qualified response team.

Progent makes available a variety of services for securing organizations from ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with AI capabilities from SentinelOne to discover and disable zero-day threats intelligently. Progent also can provide the assistance of seasoned crypto-ransomware recovery professionals with the skills and perseverance to reconstruct a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
Following a ransomware attack, paying the ransom in cryptocurrency does not guarantee that cyber criminals will respond with the needed codes to unencrypt any of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the vital parts of your Information Technology environment. Absent access to essential data backups, this requires a wide range of skill sets, top notch project management, and the capability to work non-stop until the task is completed.

For decades, Progent has offered certified expert Information Technology services for companies in San Antonio and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP applications. This breadth of expertise provides Progent the ability to knowledgably determine critical systems and re-organize the remaining components of your IT system after a ransomware attack and configure them into an operational system.

Progent's security group deploys state-of-the-art project management tools to orchestrate the complex restoration process. Progent understands the importance of acting swiftly and in concert with a customer's management and IT team members to prioritize tasks and to put critical services back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Restoration
A client escalated to Progent after their company was brought down by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored hackers, suspected of using technology leaked from the United States NSA organization. Ryuk seeks specific businesses with little or no tolerance for disruption and is one of the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with around 500 workers. The Ryuk penetration had paralyzed all business operations and manufacturing processes. Most of the client's system backups had been on-line at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.

Progent worked together with the customer to quickly determine and assign priority to the mission critical services that had to be recovered to make it possible to continue company operations:

• Active Directory (AD)
• Exchange Server
• MRP System

Within two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery on the most important servers. All Exchange data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to find local OST files (Outlook Offline Folder Files) on various desktop computers and laptops in order to recover email messages. A not too old offline backup of the businesses financials/ERP systems made them able to return these required applications back on-line. Although major work needed to be completed to recover fully from the Ryuk attack, core systems were returned to operations quickly:

Throughout the following couple of weeks critical milestones in the recovery project were achieved through tight cooperation between Progent team members and the customer:

• In-house web applications were returned to operation with no loss of information.
• The MailStore Server with over four million archived emails was brought on-line and accessible to users.
• CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were fully restored.
• A new Palo Alto 850 security appliance was brought on-line.
• 90% of the desktops and laptops were being used by staff.

Conclusion
A probable business extinction catastrophe was evaded through the efforts of dedicated experts, a wide range of technical expertise, and close teamwork. Although in retrospect the ransomware virus penetration detailed here would have been stopped with modern security technology and security best practices, team training, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, removal, and data restoration.

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in San Antonio a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect zero-day variants of crypto-ransomware that are able to get past traditional signature-based security solutions.

• ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
  ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based AV products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to manage the entire malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

• ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
  Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent can also help your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

• ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
  Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services, a selection of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and enable non-disruptive backup and rapid recovery of vital files/folders, apps, images, plus virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your IT environment.

• ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
  ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to deliver web-based management and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most threats from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further level of inspection for incoming email. For outgoing email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

• ProSight WAN Watch: Network Infrastructure Management
  Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, reconfigure and debug their connectivity appliances like routers, firewalls, and load balancers as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious management activities, WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding devices that need important updates, or isolating performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

• ProSight LAN Watch: Server and Desktop Remote Monitoring
  ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT staff and your Progent engineering consultant so that any looming issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

• ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
  With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

• ProSight IT Asset Management: Network Documentation Management
  Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can save up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

• Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
  Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to guard endpoint devices as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. Progent Active Security Monitoring services protect local and cloud resources and offers a unified platform to address the entire malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

• Outsourced/Co-managed Call Center: Call Center Managed Services
  Progent's Call Desk managed services enable your IT group to offload Help Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support team and Progent's nationwide pool of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless extension of your corporate IT support group. End user interaction with the Service Desk, delivery of support, problem escalation, ticket creation and updates, efficiency metrics, and management of the service database are cohesive regardless of whether issues are resolved by your core support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Desk services.

• Progent's Patch Management: Software/Firmware Update Management Services
  Progent's managed services for patch management offer businesses of all sizes a flexible and cost-effective alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides maximizing the protection and reliability of your IT network, Progent's patch management services permit your IT team to focus on more strategic projects and activities that derive the highest business value from your network. Learn more about Progent's software/firmware update management services.

• ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
  Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo enables one-tap identity confirmation with iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to verify your identity via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used for this added form of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You can designate multiple validation devices. For details about ProSight Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

• ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
  ProSight Reporting is a growing suite of real-time and in-depth reporting utilities designed to integrate with the industry's top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.