Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that presents an extinction-level danger for organizations unprepared for an assault. Different iterations of ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with more as yet unnamed newcomers, not only do encryption of online information but also infiltrate most configured system backups. Information synchronized to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, it can render any restore operations useless and basically knocks the entire system back to square one.

Getting back services and data following a crypto-ransomware attack becomes a sprint against the clock as the targeted organization tries its best to stop the spread and remove the ransomware and to restore business-critical operations. Since crypto-ransomware needs time to move laterally, penetrations are often launched during weekends and nights, when successful attacks typically take longer to discover. This multiplies the difficulty of rapidly mobilizing and organizing a qualified mitigation team.

Progent offers a variety of help services for protecting enterprises from crypto-ransomware events. Among these are team education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with machine learning technology from SentinelOne to identify and extinguish zero-day threats intelligently. Progent also can provide the assistance of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to unencrypt any or all of your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the key elements of your IT environment. Absent the availability of full data backups, this calls for a wide complement of IT skills, top notch team management, and the willingness to work continuously until the job is complete.

For decades, Progent has made available professional IT services for companies in San Antonio and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have earned top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience provides Progent the capability to rapidly ascertain critical systems and re-organize the remaining pieces of your network environment after a ransomware event and assemble them into an operational system.

Progent's ransomware group uses powerful project management applications to coordinate the complex restoration process. Progent knows the urgency of acting swiftly and together with a client's management and Information Technology team members to prioritize tasks and to get key applications back on-line as soon as possible.

Case Study: A Successful Ransomware Penetration Recovery
A business contacted Progent after their organization was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk goes after specific businesses with little room for disruption and is one of the most profitable instances of ransomware viruses. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago with about 500 workers. The Ryuk event had frozen all company operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and praying for the best, but in the end engaged Progent.


"I can't say enough about the expertise Progent gave us during the most critical period of (our) company's life. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and critical applications back on-line sooner than five days was amazing. Every single expert I talked with or texted at Progent was hell bent on getting our company operational and was working breakneck pace to bail us out."

Progent worked with the client to quickly get our arms around and assign priority to the key applications that had to be restored in order to resume business operations:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To start, Progent adhered to ransomware event mitigation best practices by halting lateral movement and clearing infected systems. Progent then started the task of restoring Microsoft Active Directory, the key technology of enterprise systems built on Microsoft technology. Exchange email will not work without AD, and the businesses' accounting and MRP system used SQL Server, which requires Active Directory services for authentication to the data.

In less than two days, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then completed reinstallations and storage recovery of mission critical applications. All Exchange Server data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Data Files) on various desktop computers and laptops in order to recover email data. A recent off-line backup of the businesses financials/ERP systems made them able to restore these vital programs back on-line. Although a large amount of work still had to be done to recover fully from the Ryuk virus, core services were returned to operations rapidly:


"For the most part, the production manufacturing operation was never shut down and we made all customer deliverables."

Throughout the following few weeks important milestones in the recovery project were completed in close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Exchange Server with over 4 million historical emails was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were fully functional.
  • A new Palo Alto 850 firewall was installed and configured.
  • Nearly all of the desktop computers were operational.

"So much of what went on in the early hours is nearly entirely a fog for me, but we will not soon forget the commitment each of you put in to help get our company back. I've been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This event was a testament to your capabilities."

Conclusion
A likely business extinction disaster was dodged through the efforts of dedicated experts, a wide array of technical expertise, and tight collaboration. Although in post mortem the ransomware virus attack described here would have been prevented with advanced cyber security technology and best practices, user and IT administrator education, and properly executed security procedures for data protection and proper patching controls, the fact remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of experts has extensive experience in crypto-ransomware virus defense, removal, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we made it past the first week. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in San Antonio a range of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services incorporate modern machine learning capability to detect new variants of crypto-ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to manage the complete malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single console. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent's consultants can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup software companies to produce ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products manage and track your backup operations and enable transparent backup and fast recovery of critical files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss caused by hardware failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious employees, or application bugs. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security vendors to provide web-based control and comprehensive security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter acts as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper level of inspection for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, track, optimize and debug their connectivity hardware such as routers, firewalls, and load balancers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, copies and manages the configuration of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating complex network management processes, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating appliances that require critical updates, or isolating performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT documentation, you can save as much as 50% of time spent looking for vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates cutting edge behavior machine learning tools to guard endpoint devices as well as servers and VMs against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to automate the complete malware attack progression including protection, detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Desk: Call Center Managed Services
    Progent's Call Desk services permit your information technology team to offload Help Desk services to Progent or divide activity for support services transparently between your in-house network support group and Progent's extensive pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your internal network support resources. Client access to the Help Desk, delivery of technical assistance, problem escalation, trouble ticket creation and updates, efficiency metrics, and management of the service database are cohesive regardless of whether issues are taken care of by your core support group, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. Besides optimizing the security and functionality of your computer environment, Progent's software/firmware update management services allow your in-house IT staff to focus on line-of-business initiatives and activities that derive the highest business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with Apple iOS, Google Android, and other personal devices. With 2FA, when you sign into a secured online account and give your password you are asked to verify your identity via a unit that only you have and that is accessed using a different network channel. A wide range of devices can be utilized for this added form of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register several verification devices. To find out more about Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time management reporting utilities designed to work with the leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For San Antonio 24/7/365 Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.