Crypto-Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that poses an existential threat for businesses of all sizes poorly prepared for an assault. Different versions of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to inflict havoc. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus frequent unnamed viruses, not only encrypt online data files but also infiltrate most accessible system backup. Files synchronized to cloud environments can also be ransomed. In a poorly designed environment, this can render automatic restoration impossible and basically knocks the entire system back to zero.

Recovering programs and data after a crypto-ransomware intrusion becomes a sprint against time as the victim fights to stop lateral movement and eradicate the ransomware and to resume enterprise-critical activity. Since crypto-ransomware needs time to spread, attacks are frequently launched on weekends and holidays, when successful penetrations in many cases take longer to identify. This compounds the difficulty of promptly marshalling and organizing a qualified response team.

Progent makes available an assortment of solutions for protecting organizations from ransomware penetrations. These include staff training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security solutions with machine learning technology from SentinelOne to identify and quarantine zero-day cyber attacks quickly. Progent also can provide the services of seasoned crypto-ransomware recovery consultants with the talent and perseverance to rebuild a breached environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the needed keys to decipher all your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the key components of your IT environment. Absent the availability of complete information backups, this requires a wide range of skill sets, top notch project management, and the willingness to work non-stop until the task is finished.

For twenty years, Progent has made available professional IT services for companies in Jersey City and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP software solutions. This breadth of experience gives Progent the ability to quickly determine important systems and consolidate the remaining pieces of your network system following a ransomware attack and rebuild them into an operational network.

Progent's recovery group has powerful project management tools to orchestrate the sophisticated recovery process. Progent understands the importance of acting quickly and together with a client's management and Information Technology team members to assign priority to tasks and to put the most important systems back on-line as soon as possible.

Client Case Study: A Successful Ransomware Penetration Response
A business contacted Progent after their network system was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored criminal gangs, suspected of using approaches leaked from the United States National Security Agency. Ryuk attacks specific businesses with little tolerance for disruption and is one of the most profitable examples of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago with around 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing processes. The majority of the client's system backups had been online at the beginning of the intrusion and were destroyed. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.


"I can�t thank you enough about the help Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the Hackers except for the confidence the Progent experts provided us. That you could get our e-mail system and important applications back online faster than seven days was beyond my wildest dreams. Each person I spoke to or e-mailed at Progent was amazingly focused on getting our company operational and was working non-stop to bail us out."

Progent worked together with the client to rapidly assess and prioritize the most important elements that had to be recovered to make it possible to resume business functions:

  • Active Directory
  • E-Mail
  • Financials/MRP
To start, Progent adhered to ransomware penetration response best practices by stopping lateral movement and disinfecting systems. Progent then started the task of bringing back online Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not operate without AD, and the customer�s financials and MRP applications used SQL Server, which requires Active Directory services for security authorization to the information.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and storage recovery on critical systems. All Microsoft Exchange Server schema and attributes were intact, which facilitated the restore of Exchange. Progent was able to assemble local OST files (Outlook Email Off-Line Data Files) on various workstations and laptops in order to recover mail information. A recent off-line backup of the businesses financials/MRP systems made them able to recover these required applications back servicing users. Although major work needed to be completed to recover fully from the Ryuk attack, critical systems were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we made all customer orders."

Throughout the following few weeks important milestones in the restoration project were made in close collaboration between Progent team members and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Server exceeding 4 million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were completely functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the user desktops were fully operational.

"A huge amount of what happened during the initial response is mostly a blur for me, but my management will not soon forget the urgency each of your team put in to give us our business back. I�ve utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was no exception but maybe more Herculean."

Conclusion
A possible business catastrophe was avoided by hard-working experts, a broad range of knowledge, and tight teamwork. Although upon completion of forensics the ransomware penetration described here would have been identified and blocked with current security solutions and best practices, user education, and properly executed incident response procedures for data backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I�m grateful for letting me get some sleep after we got past the first week. All of you did an incredible effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Jersey City a portfolio of online monitoring and security assessment services to assist you to minimize the threat from ransomware. These services include modern AI technology to detect new variants of ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to automate the complete malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering via leading-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your organization's unique requirements and that allows you demonstrate compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup software companies to create ProSight Data Protection Services, a family of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and allow transparent backup and rapid recovery of vital files, apps, images, plus VMs. ProSight DPS helps you protect against data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading data security vendors to deliver web-based management and comprehensive protection for your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of inspection for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their networking appliances like routers and switches, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when issues are discovered. By automating tedious management activities, WAN Watch can cut hours off common chores like network mapping, expanding your network, finding appliances that need critical software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that all looming problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and safeguard data about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or domains. By updating and organizing your IT documentation, you can save up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youre making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to guard endpoint devices as well as servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based AV products. Progent ASM services protect on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including blocking, identification, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Call Center managed services permit your information technology team to offload Support Desk services to Progent or divide activity for support services seamlessly between your in-house network support group and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth extension of your core network support group. End user access to the Service Desk, delivery of support, escalation, trouble ticket generation and updates, efficiency metrics, and management of the support database are cohesive whether incidents are taken care of by your corporate network support organization, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of all sizes a versatile and cost-effective solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT network. Besides maximizing the security and functionality of your IT network, Progent's patch management services allow your IT staff to focus on line-of-business projects and tasks that deliver the highest business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Android, and other out-of-band devices. With 2FA, when you sign into a secured online account and give your password you are asked to verify your identity via a device that only you possess and that is accessed using a different network channel. A broad selection of devices can be used for this added means of authentication such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate several verification devices. For more information about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services for access security.
For Jersey City 24/7 Crypto Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.