Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an enterprise-level threat for businesses unprepared for an attack. Multiple generations of ransomware like the Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict destruction. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as daily as yet unnamed malware, not only encrypt online information but also infect all configured system backups. Files replicated to the cloud can also be corrupted. In a vulnerable environment, it can render any recovery useless and basically sets the entire system back to zero.

Restoring services and data after a ransomware outage becomes a sprint against the clock as the victim struggles to contain the damage and eradicate the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that ransomware requires time to spread, attacks are often launched on weekends, when successful attacks are likely to take more time to detect. This compounds the difficulty of rapidly marshalling and coordinating a qualified response team.

Progent provides a range of help services for protecting businesses from ransomware events. These include user training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security gateways with AI capabilities from SentinelOne to identify and extinguish new cyber threats intelligently. Progent in addition offers the assistance of expert crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as rapidly as possible.

Progent's Ransomware Recovery Help
After a ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will provide the needed keys to decrypt any or all of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to setup from scratch the critical elements of your IT environment. Absent access to full system backups, this calls for a broad complement of skills, top notch team management, and the ability to work 24x7 until the recovery project is over.

For twenty years, Progent has made available professional Information Technology services for companies in Mission Viejo and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience gives Progent the ability to knowledgably understand critical systems and organize the surviving components of your computer network system following a ransomware attack and configure them into a functioning network.

Progent's ransomware team uses powerful project management systems to orchestrate the sophisticated recovery process. Progent understands the urgency of acting swiftly and together with a client's management and Information Technology resources to prioritize tasks and to put key services back on-line as soon as possible.

Client Case Study: A Successful Ransomware Incident Response
A small business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, suspected of using algorithms exposed from America�s NSA organization. Ryuk seeks specific organizations with little ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the attack and were damaged. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately utilized Progent.


"I can�t thank you enough about the help Progent gave us throughout the most stressful time of (our) company�s life. We would have paid the cyber criminals behind the attack if it wasn�t for the confidence the Progent team gave us. The fact that you could get our e-mail and production applications back into operation sooner than seven days was earth shattering. Every single expert I spoke to or texted at Progent was urgently focused on getting us operational and was working all day and night to bail us out."

Progent worked hand in hand the customer to quickly determine and assign priority to the critical areas that needed to be recovered in order to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Financials/MRP
To begin, Progent followed ransomware incident response best practices by halting the spread and cleaning up infected systems. Progent then began the work of bringing back online Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange messaging will not function without Windows AD, and the customer�s financials and MRP software used Microsoft SQL, which needs Active Directory services for access to the information.

In less than 2 days, Progent was able to restore Active Directory services to its pre-penetration state. Progent then performed rebuilding and storage recovery on the most important servers. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Email Offline Data Files) on staff desktop computers and laptops in order to recover email data. A recent offline backup of the customer�s financials/ERP systems made it possible to return these required programs back online. Although a lot of work was left to recover completely from the Ryuk virus, critical systems were returned to operations rapidly:


"For the most part, the production operation was never shut down and we produced all customer shipments."

During the following month key milestones in the recovery project were made in tight collaboration between Progent engineers and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Exchange Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control modules were completely restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Ninety percent of the desktops and laptops were fully operational.

"So much of what went on during the initial response is nearly entirely a fog for me, but my management will not soon forget the dedication each and every one of you put in to help get our business back. I�ve utilized Progent for the past ten years, maybe more, and every time Progent has come through and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business disaster was avoided by hard-working professionals, a broad range of knowledge, and close teamwork. Although in retrospect the ransomware virus incident described here should have been identified and blocked with modern cyber security technology solutions and security best practices, team education, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored hackers from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), I�m grateful for letting me get rested after we made it through the initial fire. All of you did an impressive job, and if anyone that helped is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Mission Viejo a variety of remote monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services include next-generation machine learning capability to detect zero-day variants of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and provides a unified platform to address the complete malware attack progression including blocking, infiltration detection, containment, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's data protection and virtualization experts can help your business to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you demonstrate compliance with legal and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also assist you to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup processes and enable non-disruptive backup and fast recovery of critical files, apps, images, and virtual machines. ProSight DPS lets you avoid data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to deliver centralized control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of inspection for incoming email. For outbound email, the local gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their networking appliances such as routers, firewalls, and access points as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, captures and displays the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common chores like network mapping, expanding your network, locating devices that require critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the state of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that any looming issues can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hardware solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By cleaning up and managing your network documentation, you can save as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether youre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based machine learning tools to defend endpoint devices as well as servers and VMs against new malware attacks such as ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a unified platform to address the complete threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Help Center services permit your information technology staff to offload Support Desk services to Progent or split responsibilities for Help Desk services seamlessly between your internal network support team and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Shared Service Desk offers a seamless supplement to your in-house network support resources. Client interaction with the Service Desk, delivery of support, issue escalation, ticket creation and tracking, efficiency measurement, and management of the support database are consistent regardless of whether issues are taken care of by your corporate network support resources, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT network. In addition to optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services free up time for your in-house IT staff to concentrate on line-of-business initiatives and activities that deliver the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected application and give your password you are asked to verify your identity on a unit that only you have and that uses a different ("out-of-band") network channel. A broad selection of devices can be utilized as this added means of authentication such as an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate several verification devices. For details about ProSight Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 Mission Viejo Crypto Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.