Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for many years and still inflict havoc. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with daily as yet unnamed viruses, not only do encryption of on-line data but also infiltrate all accessible system backup. Information synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, this can render automatic restore operations impossible and effectively knocks the network back to square one.

Getting back on-line applications and data after a ransomware event becomes a sprint against time as the targeted organization fights to contain and clear the crypto-ransomware and to resume enterprise-critical operations. Because crypto-ransomware takes time to replicate, penetrations are often launched at night, when successful penetrations typically take more time to detect. This multiplies the difficulty of quickly marshalling and organizing an experienced response team.

Progent has a range of services for protecting organizations from ransomware events. Among these are staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with AI technology from SentinelOne to detect and disable zero-day cyber attacks rapidly. Progent in addition provides the assistance of veteran ransomware recovery consultants with the track record and perseverance to reconstruct a compromised environment as urgently as possible.

Progent's Ransomware Restoration Support Services
After a ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the key elements of your IT environment. Without access to essential information backups, this requires a broad range of skills, top notch project management, and the capability to work non-stop until the job is done.

For twenty years, Progent has offered expert Information Technology services for companies in Raleigh and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience affords Progent the ability to quickly determine critical systems and re-organize the remaining pieces of your IT environment following a crypto-ransomware event and configure them into an operational network.

Progent's security team utilizes best of breed project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of acting rapidly and in concert with a client's management and Information Technology team members to assign priority to tasks and to put key services back online as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Virus Response
A customer hired Progent after their organization was crashed by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state hackers, suspected of adopting techniques leaked from the United States National Security Agency. Ryuk targets specific companies with little room for disruption and is one of the most lucrative instances of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 workers. The Ryuk event had shut down all business operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately brought in Progent.


"I can�t speak enough in regards to the support Progent gave us throughout the most fearful period of (our) businesses life. We may have had to pay the cyber criminals if it wasn�t for the confidence the Progent group provided us. The fact that you could get our messaging and important servers back in less than seven days was something I thought impossible. Each person I got help from or messaged at Progent was absolutely committed on getting us back online and was working day and night to bail us out."

Progent worked hand in hand the client to rapidly understand and assign priority to the most important applications that had to be recovered to make it possible to continue company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • MRP System
To begin, Progent adhered to ransomware event response industry best practices by stopping the spread and performing virus removal steps. Progent then started the steps of recovering Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the customer�s financials and MRP software utilized SQL Server, which needs Active Directory for authentication to the databases.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then accomplished setup and storage recovery of critical applications. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to find intact OST data files (Outlook Email Off-Line Data Files) on various PCs and laptops in order to recover mail data. A not too old offline backup of the customer�s financials/ERP systems made them able to return these essential applications back servicing users. Although major work needed to be completed to recover completely from the Ryuk attack, core systems were recovered quickly:


"For the most part, the production operation ran fairly normal throughout and we did not miss any customer orders."

Over the following few weeks critical milestones in the restoration process were accomplished through close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Exchange Server exceeding 4 million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control modules were completely restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the user PCs were fully operational.

"A lot of what was accomplished during the initial response is nearly entirely a haze for me, but my team will not forget the countless hours all of you accomplished to help get our company back. I have been working with Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This event was the most impressive ever."

Conclusion
A likely business disaster was averted through the efforts of hard-working experts, a wide spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here should have been blocked with advanced cyber security technology and best practices, team education, and properly executed incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's team of experts has extensive experience in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for letting me get rested after we made it past the initial push. All of you did an incredible effort, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Raleigh a range of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services utilize modern machine learning capability to detect new strains of crypto-ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to address the entire threat progression including protection, detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that meets your company's specific needs and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent's consultants can also help your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software companies to produce ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and enable non-disruptive backup and rapid recovery of vital files/folders, apps, images, plus virtual machines. ProSight DPS helps you recover from data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, human error, ill-intentioned insiders, or application bugs. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security vendors to deliver web-based management and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of inspection for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, optimize and debug their networking appliances such as switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming network management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding appliances that require important software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by tracking the state of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management personnel and your assigned Progent engineering consultant so that all potential problems can be addressed before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate up to 50% of time spent looking for critical information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether youre making improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based machine learning tools to defend endpoint devices and servers and VMs against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. Progent ASM services safeguard local and cloud resources and provides a single platform to address the entire malware attack progression including protection, detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Support Desk managed services enable your information technology group to offload Support Desk services to Progent or divide responsibilities for Service Desk support transparently between your internal support team and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth supplement to your internal IT support organization. End user access to the Service Desk, delivery of support services, escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are consistent whether issues are taken care of by your core network support organization, by Progent, or both. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide businesses of any size a flexible and affordable alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving information system. In addition to maximizing the protection and reliability of your IT network, Progent's software/firmware update management services permit your IT staff to focus on more strategic projects and activities that derive the highest business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation on iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and give your password you are requested to confirm who you are via a unit that only you possess and that is accessed using a different network channel. A broad range of devices can be used as this added means of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To learn more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Raleigh 24/7/365 Crypto-Ransomware Repair Help, call Progent at 800-462-8800 or go to Contact Progent.