Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level threat for organizations poorly prepared for an assault. Versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and continue to cause damage. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent as yet unnamed malware, not only encrypt online critical data but also infiltrate many configured system restores and backups. Data synched to off-site disaster recovery sites can also be encrypted. In a vulnerable environment, it can render any recovery impossible and effectively knocks the network back to square one.

Getting back on-line applications and data following a ransomware outage becomes a sprint against time as the targeted business tries its best to stop lateral movement and clear the virus and to restore mission-critical operations. Due to the fact that ransomware takes time to spread, attacks are often sprung during nights and weekends, when successful attacks are likely to take longer to detect. This multiplies the difficulty of quickly assembling and organizing a knowledgeable mitigation team.

Progent offers a range of support services for securing enterprises from ransomware attacks. Among these are team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security solutions with AI capabilities from SentinelOne to identify and disable zero-day cyber attacks automatically. Progent also offers the services of expert crypto-ransomware recovery consultants with the track record and perseverance to rebuild a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware attack, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed keys to decrypt any of your files. Kaspersky Labs determined that 17% of ransomware victims never restored their data even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to re-install the essential parts of your Information Technology environment. Without access to full data backups, this calls for a wide complement of skill sets, top notch project management, and the capability to work non-stop until the job is over.

For twenty years, Progent has provided professional Information Technology services for businesses in Phoenix and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently identify necessary systems and re-organize the remaining components of your computer network system following a crypto-ransomware attack and rebuild them into an operational system.

Progent's ransomware group uses state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent knows the urgency of acting quickly and together with a customer's management and IT staff to assign priority to tasks and to get critical services back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Attack Restoration
A business engaged Progent after their organization was taken over by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state cybercriminals, suspected of using approaches leaked from the United States National Security Agency. Ryuk goes after specific companies with little room for operational disruption and is among the most profitable iterations of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago and has about 500 employees. The Ryuk event had shut down all business operations and manufacturing capabilities. Most of the client's data protection had been online at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I can't speak enough about the help Progent gave us throughout the most critical period of (our) businesses life. We most likely would have paid the cybercriminals except for the confidence the Progent group afforded us. That you were able to get our e-mail and important servers back quicker than 1 week was something I thought impossible. Every single consultant I talked with or messaged at Progent was urgently focused on getting us back on-line and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly identify and assign priority to the mission critical services that had to be restored to make it possible to resume departmental operations:

  • Active Directory (AD)
  • Email
  • Financials/MRP
To begin, Progent adhered to ransomware event response best practices by halting lateral movement and disinfecting systems. Progent then initiated the work of bringing back online Microsoft Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the customer's financials and MRP software utilized Microsoft SQL Server, which depends on Active Directory for access to the database.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery on mission critical systems. All Exchange data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to assemble local OST files (Outlook Email Offline Folder Files) on staff desktop computers to recover mail messages. A recent offline backup of the client's financials/MRP software made them able to restore these vital services back online. Although major work was left to recover totally from the Ryuk damage, core systems were returned to operations quickly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer sales."

During the following couple of weeks critical milestones in the recovery project were accomplished through close collaboration between Progent engineers and the customer:

  • Internal web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Ninety percent of the user desktops were back into operation.

"So much of what occurred those first few days is mostly a blur for me, but my management will not forget the commitment each and every one of the team put in to help get our company back. I have trusted Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered. This time was the most impressive ever."

Conclusion
A possible business-killing disaster was avoided through the efforts of results-oriented professionals, a wide range of IT skills, and tight teamwork. Although in retrospect the crypto-ransomware virus incident detailed here would have been identified and prevented with current security systems and security best practices, team training, and well designed security procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, remember that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for making it so I could get some sleep after we got through the first week. Everyone did an incredible job, and if any of your team is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Phoenix a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect new strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely get by traditional signature-based anti-virus tools. ProSight ASM safeguards on-premises and cloud-based resources and offers a unified platform to automate the entire threat progression including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer economical in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you prove compliance with legal and industry information protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with leading backup software companies to produce ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your data backup processes and enable transparent backup and rapid restoration of critical files, applications, images, and VMs. ProSight DPS lets your business recover from data loss resulting from hardware breakdown, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security companies to deliver centralized management and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of inspection for incoming email. For outbound email, the onsite gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, reconfigure and debug their networking hardware such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are always updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating complex management processes, ProSight WAN Watch can cut hours off ordinary chores like making network diagrams, reconfiguring your network, finding devices that need important updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your network running efficiently by checking the state of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT staff and your Progent consultant so any looming problems can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to a different hosting environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to half of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates cutting edge behavior machine learning technology to guard endpoints as well as servers and VMs against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including protection, identification, containment, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Help Desk managed services allow your information technology staff to outsource Call Center services to Progent or split responsibilities for Help Desk services seamlessly between your internal support staff and Progent's extensive roster of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth extension of your internal network support resources. User interaction with the Service Desk, delivery of technical assistance, escalation, ticket generation and tracking, performance measurement, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your core network support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of any size a versatile and affordable solution for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving IT network. In addition to optimizing the protection and functionality of your IT environment, Progent's patch management services allow your IT staff to concentrate on line-of-business projects and tasks that deliver the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a protected online account and enter your password you are requested to confirm who you are on a unit that only you have and that uses a different network channel. A broad selection of devices can be utilized for this second means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate several validation devices. For more information about Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time reporting utilities designed to work with the industry's top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Phoenix 24/7 CryptoLocker Recovery Services, call Progent at 800-462-8800 or go to Contact Progent.