Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that presents an existential danger for businesses of all sizes poorly prepared for an attack. Versions of crypto-ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and still cause destruction. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with additional as yet unnamed malware, not only encrypt on-line data files but also infiltrate all available system restores and backups. Data replicated to the cloud can also be held hostage. In a vulnerable system, it can make any restore operations useless and basically sets the entire system back to zero.

Retrieving services and data following a crypto-ransomware attack becomes a sprint against time as the victim tries its best to contain, remove the virus, and restore enterprise-critical activity. Because crypto-ransomware needs time to move laterally, penetrations are often launched at night, when attacks in many cases take more time to notice. This multiplies the difficulty of quickly assembling and organizing a qualified mitigation team.

Progent has an assortment of help services for protecting enterprises from ransomware events. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security gateways with AI technology from SentinelOne to detect and extinguish new cyber threats automatically. Progent in addition provides the services of veteran ransomware recovery professionals with the talent and commitment to re-deploy a compromised network as soon as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to unencrypt all your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The alternative is to setup from scratch the mission-critical components of your IT environment. Without the availability of complete system backups, this requires a wide complement of skill sets, professional team management, and the willingness to work non-stop until the recovery project is complete.

For two decades, Progent has provided professional Information Technology services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained high-level certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly ascertain critical systems and organize the remaining components of your Information Technology system following a crypto-ransomware attack and configure them into a functioning network.

Progent's ransomware group uses powerful project management applications to coordinate the complicated restoration process. Progent knows the urgency of acting rapidly and together with a client's management and IT resources to prioritize tasks and to get essential services back online as soon as possible.

Client Story: A Successful Ransomware Incident Response
A small business engaged Progent after their network system was attacked by Ryuk ransomware. Ryuk is believed to have been launched by North Korean government sponsored criminal gangs, possibly adopting strategies exposed from America's National Security Agency. Ryuk goes after specific organizations with little room for operational disruption and is among the most profitable examples of ransomware malware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in the Chicago metro area and has about 500 employees. The Ryuk penetration had shut down all essential operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but in the end called Progent.


"I can't thank you enough about the support Progent provided us during the most fearful period of (our) businesses life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group gave us. That you were able to get our e-mail system and production servers back online quicker than five days was something I thought impossible. Every single person I worked with or texted at Progent was laser focused on getting my company operational and was working breakneck pace to bail us out."

Progent worked together with the customer to quickly identify and assign priority to the essential services that had to be addressed in order to continue business operations:

  • Microsoft Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and cleaning up infected systems. Progent then initiated the steps of rebuilding Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Exchange email will not operate without AD, and the businesses' accounting and MRP software utilized SQL Server, which requires Active Directory services for security authorization to the data.

Within two days, Progent was able to recover Active Directory to its pre-virus state. Progent then completed rebuilding and hard drive recovery on the most important systems. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST data files (Outlook Email Offline Data Files) on staff desktop computers and laptops to recover email messages. A not too old offline backup of the client's manufacturing software made them able to return these essential applications back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk damage, critical systems were recovered quickly:


"For the most part, the manufacturing operation never missed a beat and we produced all customer sales."

During the following few weeks important milestones in the restoration process were accomplished in close collaboration between Progent team members and the client:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Server exceeding 4 million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control functions were completely functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Most of the user desktops and notebooks were fully operational.

"So much of what occurred that first week is mostly a haze for me, but my management will not forget the countless hours each of you put in to help get our business back. I've utilized Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This event was a testament to your capabilities."

Conclusion
A probable business disaster was avoided with hard-working experts, a broad spectrum of technical expertise, and tight collaboration. Although in post mortem the ransomware attack described here should have been disabled with modern security solutions and security best practices, user and IT administrator education, and well thought out security procedures for backup and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of professionals has extensive experience in ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get some sleep after we got over the first week. All of you did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Jersey City a variety of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services incorporate modern machine learning capability to detect zero-day strains of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily escape traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a unified platform to automate the complete malware attack progression including blocking, identification, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device control, and web filtering via leading-edge tools packaged within a single agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your company's specific needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent action. Progent can also assist you to install and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup processes and allow non-disruptive backup and fast restoration of vital files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, human error, malicious insiders, or software bugs. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver centralized control and world-class security for your inbound and outbound email. The hybrid structure of Email Guard integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This decreases your exposure to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map out, track, reconfigure and troubleshoot their networking appliances such as routers, firewalls, and load balancers plus servers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network diagrams are always updated, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating devices that need important software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT personnel and your Progent engineering consultant so any potential problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based analysis tools to guard endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to automate the entire threat lifecycle including protection, identification, containment, cleanup, and forensics. Top features include single-click rollback using Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Help Center managed services allow your information technology staff to outsource Call Center services to Progent or split activity for support services transparently between your in-house support staff and Progent's nationwide pool of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a seamless supplement to your core support resources. User interaction with the Service Desk, delivery of technical assistance, escalation, ticket creation and updates, performance metrics, and management of the support database are cohesive whether incidents are resolved by your core network support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and affordable alternative for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your IT team to focus on line-of-business projects and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. Using Duo 2FA, when you log into a secured online account and enter your password you are asked to confirm your identity on a unit that only you have and that uses a separate network channel. A broad range of devices can be utilized for this added form of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To find out more about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time and in-depth reporting plug-ins designed to work with the industry's top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Jersey City 24x7 Crypto-Ransomware Cleanup Services, reach out to Progent at 800-462-8800 or go to Contact Progent.