Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that represents an existential threat for businesses unprepared for an assault. Different iterations of ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as additional as yet unnamed malware, not only do encryption of online files but also infect many available system backups. Information synchronized to the cloud can also be encrypted. In a vulnerable system, it can make automated recovery useless and effectively knocks the network back to zero.

Recovering services and data after a ransomware outage becomes a sprint against the clock as the victim tries its best to contain and eradicate the ransomware and to restore business-critical operations. Since crypto-ransomware requires time to replicate, attacks are frequently launched at night, when successful attacks are likely to take more time to detect. This multiplies the difficulty of rapidly mobilizing and coordinating a capable mitigation team.

Progent provides a range of support services for protecting enterprises from crypto-ransomware events. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with AI capabilities from SentinelOne to discover and quarantine new threats quickly. Progent also can provide the assistance of expert ransomware recovery consultants with the track record and commitment to reconstruct a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the codes to decrypt any or all of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Without the availability of essential data backups, this calls for a wide complement of skills, professional team management, and the ability to work 24x7 until the task is complete.

For decades, Progent has provided certified expert IT services for companies in San Antonio and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of expertise affords Progent the ability to quickly identify critical systems and organize the remaining parts of your computer network system following a ransomware event and configure them into a functioning system.

Progent's recovery group deploys best of breed project management applications to orchestrate the sophisticated recovery process. Progent knows the importance of working swiftly and in concert with a customer�s management and IT staff to assign priority to tasks and to put essential services back online as soon as humanly possible.

Customer Case Study: A Successful Ransomware Intrusion Restoration
A client hired Progent after their organization was crashed by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state criminal gangs, possibly using strategies exposed from the U.S. National Security Agency. Ryuk targets specific businesses with little or no room for operational disruption and is among the most lucrative incarnations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has about 500 workers. The Ryuk event had brought down all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the time of the intrusion and were damaged. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for the best, but ultimately made the decision to use Progent.


"I can�t say enough in regards to the care Progent provided us throughout the most fearful period of (our) company�s life. We would have paid the cyber criminals behind the attack if not for the confidence the Progent team provided us. That you were able to get our messaging and critical applications back into operation sooner than 1 week was beyond my wildest dreams. Each staff member I worked with or messaged at Progent was amazingly focused on getting us back on-line and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to rapidly get our arms around and prioritize the critical applications that needed to be addressed to make it possible to restart departmental operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting/MRP
To start, Progent followed Anti-virus incident response industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the process of recovering Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange messaging will not function without Windows AD, and the customer�s accounting and MRP software leveraged Microsoft SQL Server, which requires Active Directory services for security authorization to the databases.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and storage recovery of critical servers. All Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Off-Line Folder Files) on various workstations to recover email data. A not too old offline backup of the customer�s financials/MRP systems made it possible to return these vital applications back online for users. Although a large amount of work was left to recover totally from the Ryuk event, core systems were recovered quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer deliverables."

Throughout the next couple of weeks critical milestones in the restoration project were achieved through close collaboration between Progent consultants and the client:

  • In-house web applications were returned to operation without losing any data.
  • The MailStore Server exceeding 4 million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully recovered.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the desktops and laptops were being used by staff.

"A huge amount of what transpired during the initial response is nearly entirely a blur for me, but my team will not forget the countless hours each of the team accomplished to give us our business back. I�ve been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable business extinction catastrophe was averted due to top-tier experts, a wide array of subject matter expertise, and close collaboration. Although upon completion of forensics the crypto-ransomware virus penetration detailed here could have been shut down with advanced cyber security technology solutions and ISO/IEC 27001 best practices, user education, and well thought out incident response procedures for backup and proper patching controls, the fact is that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for making it so I could get rested after we made it past the first week. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in San Antonio a range of online monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day variants of crypto-ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the entire threat progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate attention. Progent can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your backup operations and allow non-disruptive backup and rapid recovery of vital files, apps, images, and VMs. ProSight DPS lets you protect against data loss caused by equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious employees, or software bugs. Managed backup services in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, enhance and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, finding devices that need critical updates, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running efficiently by tracking the state of critical assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT staff and your Progent consultant so any looming problems can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether youre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior analysis technology to guard endpoints and servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. Progent ASM services protect local and cloud resources and provides a unified platform to address the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Call Desk services permit your IT staff to offload Call Center services to Progent or divide activity for Help Desk services transparently between your in-house support staff and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent supplement to your internal IT support resources. End user interaction with the Help Desk, provision of support services, escalation, ticket generation and updates, performance measurement, and management of the support database are consistent regardless of whether incidents are resolved by your core network support staff, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of all sizes a versatile and affordable solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the security and reliability of your IT network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business projects and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation with iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured application and enter your password you are asked to verify your identity on a device that only you have and that uses a different ("out-of-band") network channel. A wide range of devices can be used for this added form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several verification devices. To learn more about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 San Antonio CryptoLocker Recovery Consulting, contact Progent at 800-462-8800 or go to Contact Progent.