Crypto-Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an existential danger for organizations vulnerable to an attack. Versions of ransomware like the CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for a long time and continue to inflict destruction. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with daily unnamed malware, not only do encryption of online data but also infect most configured system backup. Files replicated to cloud environments can also be corrupted. In a poorly designed system, it can make automatic restore operations hopeless and basically knocks the network back to square one.

Recovering services and information following a ransomware event becomes a race against the clock as the targeted organization tries its best to contain and clear the ransomware and to resume business-critical activity. Because crypto-ransomware requires time to replicate, assaults are frequently launched on weekends and holidays, when attacks in many cases take more time to recognize. This multiplies the difficulty of quickly mobilizing and orchestrating a qualified response team.

Progent provides a variety of help services for securing enterprises from crypto-ransomware attacks. Among these are user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with AI capabilities from SentinelOne to detect and suppress new cyber threats automatically. Progent also offers the assistance of experienced crypto-ransomware recovery engineers with the track record and perseverance to restore a compromised system as rapidly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that merciless criminals will provide the needed keys to decipher any or all of your information. Kaspersky ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the critical elements of your IT environment. Without access to full data backups, this requires a wide complement of IT skills, well-coordinated project management, and the ability to work continuously until the task is completed.

For two decades, Progent has offered expert IT services for businesses in Montgomery and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably determine critical systems and organize the remaining pieces of your computer network environment after a ransomware penetration and assemble them into a functioning network.

Progent's ransomware group utilizes state-of-the-art project management tools to coordinate the complex restoration process. Progent appreciates the urgency of working rapidly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to put key systems back on-line as soon as possible.

Client Story: A Successful Crypto-Ransomware Virus Response
A customer escalated to Progent after their company was attacked by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean government sponsored hackers, suspected of using strategies exposed from America's National Security Agency. Ryuk goes after specific companies with little or no ability to sustain operational disruption and is one of the most profitable instances of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in Chicago with around 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's system backups had been online at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (more than $200K) and hoping for good luck, but in the end reached out to Progent.


"I can't speak enough about the care Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the cyber criminals except for the confidence the Progent team afforded us. The fact that you could get our e-mail system and production applications back on-line in less than seven days was incredible. Every single consultant I got help from or texted at Progent was hell bent on getting us back online and was working all day and night on our behalf."

Progent worked hand in hand the client to quickly determine and prioritize the essential applications that needed to be restored in order to restart departmental operations:

  • Active Directory (AD)
  • E-Mail
  • Financials/MRP
To get going, Progent followed AV/Malware Processes penetration response industry best practices by isolating and clearing infected systems. Progent then began the work of bringing back online Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not work without Windows AD, and the client's MRP system leveraged SQL Server, which requires Active Directory services for authentication to the databases.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then assisted with setup and hard drive recovery of key systems. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Data Files) on team desktop computers and laptops to recover email data. A not too old offline backup of the customer's accounting/MRP systems made it possible to restore these vital programs back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk event, critical systems were recovered quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer sales."

Over the following few weeks key milestones in the recovery process were accomplished through tight cooperation between Progent engineers and the client:

  • Internal web applications were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory modules were fully functional.
  • A new Palo Alto 850 firewall was installed.
  • Most of the user desktops and notebooks were fully operational.

"Much of what transpired those first few days is mostly a fog for me, but I will not soon forget the countless hours each and every one of you put in to help get our business back. I've been working together with Progent for the past 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A probable business catastrophe was avoided through the efforts of top-tier professionals, a wide array of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware virus penetration detailed here would have been blocked with modern cyber security solutions and security best practices, staff training, and well thought out incident response procedures for data backup and applying software patches, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for allowing me to get rested after we got over the most critical parts. Everyone did an amazing job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Montgomery a range of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation artificial intelligence capability to detect new strains of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to automate the entire malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your company's unique requirements and that allows you prove compliance with government and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup processes and allow non-disruptive backup and rapid recovery of important files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver web-based management and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This decreases your exposure to external attacks and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of analysis for incoming email. For outbound email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to map, track, reconfigure and debug their networking hardware like routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating complex management processes, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding devices that require critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT staff and your Progent consultant so any potential problems can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate up to 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior analysis technology to defend endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including protection, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Support Desk services permit your IT team to offload Help Desk services to Progent or split responsibilities for support services transparently between your in-house support team and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your corporate network support resources. Client access to the Service Desk, provision of technical assistance, escalation, ticket creation and tracking, performance metrics, and management of the support database are cohesive whether incidents are resolved by your internal network support resources, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. Besides maximizing the security and functionality of your computer network, Progent's patch management services allow your in-house IT team to concentrate on more strategic projects and tasks that derive the highest business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity verification with iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you sign into a protected application and give your password you are requested to confirm who you are on a unit that only you have and that uses a different network channel. A wide range of out-of-band devices can be utilized for this second form of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register several verification devices. For details about ProSight Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of in-depth reporting tools designed to integrate with the leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Montgomery 24/7/365 CryptoLocker Recovery Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.