Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with daily as yet unnamed viruses, not only do encryption of on-line data files but also infect all accessible system backup. Files replicated to cloud environments can also be corrupted. In a poorly designed system, this can make any restore operations hopeless and effectively sets the network back to square one.

Restoring services and information following a ransomware intrusion becomes a sprint against the clock as the victim struggles to contain the damage and eradicate the ransomware and to restore business-critical activity. Since crypto-ransomware needs time to move laterally, penetrations are frequently launched during weekends and nights, when successful attacks tend to take longer to notice. This multiplies the difficulty of rapidly mobilizing and orchestrating an experienced mitigation team.

Progent provides an assortment of solutions for securing enterprises from ransomware penetrations. These include team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of the latest generation security appliances with AI capabilities from SentinelOne to discover and disable zero-day cyber attacks intelligently. Progent also offers the services of expert ransomware recovery consultants with the talent and perseverance to reconstruct a compromised system as soon as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber hackers will provide the needed keys to unencrypt any of your data. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the vital elements of your IT environment. Without the availability of essential information backups, this calls for a broad range of IT skills, well-coordinated project management, and the willingness to work 24x7 until the task is over.

For decades, Progent has offered expert Information Technology services for companies in San Antonio and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top certifications in foundation technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise provides Progent the skills to efficiently identify important systems and organize the surviving parts of your computer network environment following a ransomware event and rebuild them into a functioning network.

Progent's ransomware group has best of breed project management tools to coordinate the complicated restoration process. Progent knows the importance of working rapidly and in concert with a customer's management and Information Technology resources to prioritize tasks and to get critical applications back online as fast as possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A client hired Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is believed to have been developed by North Korean state cybercriminals, possibly adopting technology exposed from America's NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most profitable instances of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in the Chicago metro area with around 500 staff members. The Ryuk attack had frozen all essential operations and manufacturing processes. Most of the client's data protection had been online at the start of the attack and were encrypted. The client considered paying the ransom (exceeding $200K) and hoping for good luck, but in the end made the decision to use Progent.


"I cannot say enough in regards to the care Progent provided us throughout the most critical time of (our) company's life. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent team provided us. The fact that you were able to get our messaging and critical applications back online quicker than a week was something I thought impossible. Each staff member I got help from or e-mailed at Progent was absolutely committed on getting us back online and was working 24 by 7 on our behalf."

Progent worked with the customer to rapidly identify and prioritize the most important applications that needed to be recovered in order to restart departmental operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to Anti-virus event response industry best practices by halting the spread and removing active viruses. Progent then started the process of rebuilding Microsoft AD, the heart of enterprise networks built upon Microsoft Windows technology. Exchange messaging will not work without Active Directory, and the customer's accounting and MRP applications used SQL Server, which needs Windows AD for access to the database.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of needed systems. All Exchange data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Off-Line Data Files) on user desktop computers in order to recover mail messages. A recent offline backup of the client's financials/MRP software made them able to recover these essential programs back online for users. Although a lot of work remained to recover completely from the Ryuk damage, core services were restored rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer deliverables."

During the next few weeks critical milestones in the recovery process were made in tight cooperation between Progent team members and the client:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Exchange Server with over four million archived messages was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • 90% of the desktop computers were being used by staff.

"A huge amount of what happened in the early hours is nearly entirely a haze for me, but our team will not forget the urgency each of your team accomplished to help get our company back. I've been working together with Progent for the past ten years, possibly more, and each time I needed help Progent has shined and delivered as promised. This situation was a stunning achievement."

Conclusion
A potential business extinction catastrophe was dodged with hard-working professionals, a broad array of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus penetration detailed here could have been blocked with modern security systems and security best practices, team education, and well thought out security procedures for information protection and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for allowing me to get rested after we made it over the initial fire. Everyone did an impressive job, and if anyone is around the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in San Antonio a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services include modern artificial intelligence technology to uncover new strains of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching AV tools. ProSight ASM safeguards local and cloud resources and offers a single platform to address the entire malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver economical in-depth security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also assist you to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup/restore software companies to create ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and monitor your backup operations and enable non-disruptive backup and fast recovery of critical files, applications, system images, and virtual machines. ProSight DPS helps your business recover from data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or application bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top information security vendors to deliver web-based control and world-class protection for your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, track, reconfigure and debug their networking appliances such as routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to a different hosting solution without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior machine learning tools to guard endpoint devices and physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. Progent ASM services safeguard local and cloud resources and offers a single platform to address the complete threat lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Support Desk services permit your IT group to outsource Call Center services to Progent or split activity for Service Desk support seamlessly between your in-house support staff and Progent's nationwide pool of certified IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth supplement to your core support group. End user access to the Help Desk, delivery of technical assistance, problem escalation, trouble ticket creation and tracking, efficiency measurement, and management of the support database are consistent whether incidents are taken care of by your core network support organization, by Progent's team, or both. Find out more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your computer network, Progent's software/firmware update management services allow your IT team to concentrate on more strategic projects and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other personal devices. With 2FA, when you log into a protected application and enter your password you are requested to confirm your identity via a device that only you possess and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized for this added means of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You may register several validation devices. For details about ProSight Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.
For 24/7 San Antonio Crypto-Ransomware Cleanup Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.