Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyberplague that represents an extinction-level threat for businesses of all sizes vulnerable to an attack. Different versions of ransomware such as Dharma, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for years and continue to inflict harm. More recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus frequent as yet unnamed viruses, not only encrypt on-line data files but also infiltrate all available system backup. Data synched to cloud environments can also be ransomed. In a vulnerable data protection solution, it can render automatic restoration hopeless and basically sets the entire system back to square one.

Getting back on-line programs and data following a crypto-ransomware attack becomes a race against time as the victim tries its best to stop the spread and eradicate the virus and to restore enterprise-critical activity. Because ransomware requires time to move laterally, penetrations are often sprung at night, when penetrations tend to take longer to notice. This multiplies the difficulty of rapidly assembling and orchestrating a qualified mitigation team.

Progent has an assortment of help services for securing businesses from ransomware penetrations. These include user education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with machine learning technology from SentinelOne to detect and suppress day-zero cyber attacks quickly. Progent also can provide the services of expert ransomware recovery engineers with the skills and perseverance to restore a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed codes to decipher any of your data. Kaspersky determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the key parts of your IT environment. Without the availability of full data backups, this calls for a wide complement of IT skills, top notch team management, and the ability to work 24x7 until the job is done.

For decades, Progent has made available professional IT services for businesses in Richmond and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise gives Progent the skills to knowledgably identify critical systems and consolidate the surviving parts of your Information Technology environment after a crypto-ransomware event and assemble them into a functioning network.

Progent's security team of experts utilizes best of breed project management applications to coordinate the complicated restoration process. Progent understands the urgency of acting swiftly and in unison with a customer�s management and IT resources to prioritize tasks and to put key systems back on line as fast as possible.

Client Story: A Successful Ransomware Incident Restoration
A customer sought out Progent after their organization was brought down by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, possibly using technology leaked from America�s NSA organization. Ryuk goes after specific organizations with little ability to sustain disruption and is one of the most lucrative examples of ransomware viruses. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has about 500 employees. The Ryuk event had paralyzed all business operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the attack and were eventually encrypted. The client considered paying the ransom (more than $200K) and wishfully thinking for good luck, but ultimately called Progent.


"I cannot tell you enough in regards to the care Progent gave us throughout the most fearful period of (our) company�s life. We had little choice but to pay the Hackers except for the confidence the Progent group gave us. That you could get our messaging and production applications back quicker than a week was incredible. Each staff member I spoke to or communicated with at Progent was amazingly focused on getting us working again and was working day and night on our behalf."

Progent worked together with the client to rapidly identify and assign priority to the critical areas that needed to be restored to make it possible to restart business functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent followed ransomware penetration response best practices by halting lateral movement and performing virus removal steps. Progent then started the work of recovering Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the businesses� financials and MRP applications used SQL Server, which needs Windows AD for access to the information.

Within two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then initiated setup and hard drive recovery on essential systems. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on user PCs and laptops in order to recover mail messages. A recent offline backup of the client's financials/MRP software made it possible to recover these essential programs back online. Although a lot of work remained to recover fully from the Ryuk attack, the most important services were returned to operations rapidly:


"For the most part, the production operation survived unscathed and we made all customer deliverables."

Throughout the next month important milestones in the restoration project were completed in close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of data.
  • The MailStore Server containing more than 4 million archived emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control functions were completely operational.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the user PCs were operational.

"So much of what happened in the initial days is mostly a blur for me, but our team will not soon forget the dedication all of the team put in to give us our company back. I have utilized Progent for the past ten years, maybe more, and each time Progent has come through and delivered. This event was a testament to your capabilities."

Conclusion
A likely business-killing disaster was averted through the efforts of dedicated professionals, a wide array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident detailed here could have been stopped with up-to-date cyber security technology solutions and best practices, user education, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thanks very much for making it so I could get some sleep after we made it over the most critical parts. All of you did an impressive effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Richmond a variety of remote monitoring and security assessment services to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning technology to detect new variants of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely escape legacy signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a single platform to manage the complete threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you prove compliance with government and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for immediate action. Progent's consultants can also help your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup software companies to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and monitor your backup processes and enable transparent backup and fast restoration of vital files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight DPS product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading information security companies to deliver web-based control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further level of analysis for incoming email. For outgoing email, the local gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map out, monitor, reconfigure and debug their networking appliances such as switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, locating appliances that need important updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by checking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so that any potential issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can save as much as half of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether youre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based AV tools. Progent ASM services safeguard on-premises and cloud resources and provides a unified platform to manage the complete malware attack progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Support Center managed services allow your information technology staff to outsource Support Desk services to Progent or divide responsibilities for Help Desk services transparently between your internal network support staff and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent supplement to your corporate support group. Client access to the Service Desk, delivery of technical assistance, problem escalation, ticket creation and tracking, efficiency metrics, and management of the service database are consistent regardless of whether incidents are resolved by your corporate network support organization, by Progent's team, or both. Learn more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of all sizes a versatile and affordable solution for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving IT network. In addition to optimizing the security and reliability of your IT environment, Progent's software/firmware update management services free up time for your in-house IT team to focus on line-of-business projects and activities that derive the highest business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a protected application and give your password you are requested to verify who you are on a unit that only you possess and that uses a separate network channel. A broad selection of devices can be utilized for this second form of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register several validation devices. For more information about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication services for access security.
For Richmond 24x7x365 Crypto-Ransomware Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.