Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that presents an existential danger for organizations vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still cause damage. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, as well as frequent unnamed malware, not only encrypt online data but also infect many configured system backup. Data synchronized to the cloud can also be rendered useless. In a vulnerable environment, this can make automatic restoration impossible and effectively knocks the datacenter back to zero.

Restoring programs and information following a ransomware event becomes a race against the clock as the victim struggles to contain the damage and remove the crypto-ransomware and to restore mission-critical operations. Because ransomware requires time to spread, penetrations are usually launched at night, when penetrations are likely to take longer to uncover. This multiplies the difficulty of quickly mobilizing and organizing a knowledgeable mitigation team.

Progent makes available an assortment of help services for protecting enterprises from crypto-ransomware attacks. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security appliances with artificial intelligence capabilities from SentinelOne to discover and extinguish new cyber attacks intelligently. Progent in addition provides the services of experienced crypto-ransomware recovery engineers with the talent and commitment to reconstruct a breached network as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will provide the keys to decipher any of your files. Kaspersky determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the vital elements of your IT environment. Without the availability of complete data backups, this requires a broad range of IT skills, well-coordinated team management, and the ability to work continuously until the task is over.

For two decades, Progent has offered certified expert Information Technology services for companies in Richmond and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP applications. This breadth of expertise provides Progent the capability to rapidly ascertain critical systems and integrate the remaining parts of your network system after a crypto-ransomware attack and assemble them into an operational network.

Progent's recovery group has powerful project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and IT staff to assign priority to tasks and to get essential services back on line as soon as possible.

Customer Case Study: A Successful Ransomware Virus Restoration
A business escalated to Progent after their company was taken over by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean state sponsored criminal gangs, suspected of using strategies exposed from the United States NSA organization. Ryuk goes after specific companies with limited tolerance for disruption and is among the most lucrative iterations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with about 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's information backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200K) and wishfully thinking for the best, but in the end reached out to Progent.


"I cannot say enough about the help Progent provided us throughout the most critical time of (our) businesses survival. We would have paid the hackers behind this attack except for the confidence the Progent group gave us. The fact that you were able to get our e-mail and production servers back into operation sooner than one week was earth shattering. Each staff member I spoke to or texted at Progent was amazingly focused on getting us operational and was working all day and night to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the mission critical systems that had to be restored to make it possible to restart business functions:

  • Windows Active Directory
  • Email
  • MRP System
To start, Progent adhered to Anti-virus event response best practices by halting the spread and cleaning systems of viruses. Progent then began the process of bringing back online Microsoft AD, the foundation of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without AD, and the businesses' financials and MRP software used Microsoft SQL, which requires Active Directory for access to the data.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then helped perform reinstallations and hard drive recovery of essential servers. All Exchange Server ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Off-Line Data Files) on user workstations and laptops to recover email messages. A not too old off-line backup of the client's financials/MRP software made it possible to recover these essential services back servicing users. Although a lot of work still had to be done to recover totally from the Ryuk damage, essential services were restored rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer deliverables."

Over the next few weeks critical milestones in the restoration project were completed through close collaboration between Progent team members and the customer:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Exchange Server containing more than four million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory capabilities were completely functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user desktops were back into operation.

"A lot of what went on in the early hours is mostly a blur for me, but my team will not soon forget the urgency all of the team put in to give us our business back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A potential business disaster was dodged with dedicated experts, a broad array of knowledge, and close collaboration. Although upon completion of forensics the ransomware penetration detailed here should have been prevented with current cyber security technology solutions and ISO/IEC 27001 best practices, team education, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has proven experience in crypto-ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get rested after we made it through the most critical parts. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Richmond a range of online monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation AI capability to uncover new variants of crypto-ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your company's specific needs and that allows you demonstrate compliance with government and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help you to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup software companies to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your backup processes and allow non-disruptive backup and fast restoration of vital files, apps, images, and virtual machines. ProSight DPS lets you protect against data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or application bugs. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver centralized control and comprehensive security for all your email traffic. The hybrid architecture of Email Guard combines cloud-based filtering with an on-premises gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of analysis for inbound email. For outbound email, the onsite gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and debug their networking hardware such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when problems are discovered. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, locating appliances that need critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system operating efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT management staff and your assigned Progent consultant so any looming issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate as much as half of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning technology to defend endpoints and servers and VMs against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to address the complete malware attack lifecycle including blocking, identification, mitigation, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Support Center managed services allow your IT group to offload Help Desk services to Progent or split activity for support services seamlessly between your in-house support team and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless supplement to your internal IT support organization. Client access to the Help Desk, provision of technical assistance, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the service database are cohesive regardless of whether issues are taken care of by your core network support staff, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a versatile and affordable solution for evaluating, testing, scheduling, implementing, and documenting updates to your dynamic IT system. Besides optimizing the security and functionality of your IT network, Progent's patch management services permit your IT staff to focus on line-of-business initiatives and tasks that deliver the highest business value from your network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. With Duo 2FA, when you log into a secured online account and enter your password you are requested to confirm who you are on a device that only you possess and that is accessed using a separate network channel. A broad selection of devices can be utilized for this added form of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For details about Duo identity validation services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of in-depth management reporting utilities created to integrate with the leading ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Richmond Crypto Removal Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.