Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that presents an enterprise-level threat for businesses unprepared for an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to cause harm. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with frequent unnamed viruses, not only encrypt on-line critical data but also infiltrate any accessible system backup. Data synchronized to cloud environments can also be encrypted. In a poorly architected data protection solution, this can render automated recovery hopeless and effectively knocks the entire system back to square one.

Retrieving services and data after a crypto-ransomware intrusion becomes a sprint against time as the targeted business tries its best to stop the spread and eradicate the ransomware and to resume business-critical activity. Due to the fact that ransomware takes time to move laterally, penetrations are often sprung during weekends and nights, when penetrations may take longer to notice. This compounds the difficulty of quickly mobilizing and organizing a capable mitigation team.

Progent provides an assortment of help services for securing enterprises from ransomware attacks. These include team member training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with artificial intelligence technology from SentinelOne to detect and extinguish zero-day threats rapidly. Progent also can provide the assistance of expert ransomware recovery engineers with the talent and perseverance to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed codes to decrypt all your information. Kaspersky determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the vital components of your Information Technology environment. Absent the availability of complete system backups, this calls for a broad range of skill sets, well-coordinated team management, and the capability to work continuously until the job is done.

For decades, Progent has offered certified expert Information Technology services for businesses in Appleton and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP software solutions. This breadth of experience gives Progent the capability to knowledgably ascertain critical systems and consolidate the surviving components of your network system following a ransomware event and assemble them into an operational network.

Progent's recovery group deploys powerful project management tools to coordinate the complex restoration process. Progent understands the importance of acting swiftly and in unison with a customer's management and IT resources to assign priority to tasks and to get key applications back online as fast as humanly possible.

Client Story: A Successful Ransomware Penetration Recovery
A business sought out Progent after their company was taken over by Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean government sponsored hackers, suspected of using technology leaked from America's National Security Agency. Ryuk targets specific businesses with little or no tolerance for disruption and is among the most lucrative examples of ransomware viruses. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has around 500 employees. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the attack and were damaged. The client considered paying the ransom (more than $200K) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot speak enough in regards to the support Progent gave us throughout the most critical time of (our) company's life. We would have paid the cyber criminals behind the attack if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail system and important applications back online quicker than five days was something I thought impossible. Every single person I interacted with or messaged at Progent was hell bent on getting our company operational and was working at all hours on our behalf."

Progent worked hand in hand the client to quickly understand and prioritize the critical areas that had to be restored to make it possible to resume departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To begin, Progent adhered to Anti-virus event response industry best practices by stopping lateral movement and removing active viruses. Progent then began the work of restoring Windows Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's MRP system utilized Microsoft SQL, which needs Active Directory services for security authorization to the database.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery on essential applications. All Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to locate intact OST files (Microsoft Outlook Off-Line Folder Files) on user PCs and laptops in order to recover email messages. A recent offline backup of the customer's accounting/ERP software made them able to recover these essential applications back online. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were restored rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer shipments."

During the next few weeks important milestones in the recovery project were completed in tight collaboration between Progent engineers and the client:

  • In-house web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control modules were completely recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the user desktops were operational.

"A huge amount of what transpired during the initial response is nearly entirely a blur for me, but our team will not forget the countless hours each and every one of you accomplished to give us our company back. I've utilized Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This time was a testament to your capabilities."

Conclusion
A potential business catastrophe was averted through the efforts of top-tier professionals, a broad range of subject matter expertise, and close collaboration. Although in retrospect the crypto-ransomware penetration described here could have been identified and disabled with modern security systems and recognized best practices, staff education, and well designed security procedures for information backup and proper patching controls, the reality is that state-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), I'm grateful for allowing me to get some sleep after we got over the initial fire. Everyone did an amazing job, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Appleton a variety of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services utilize modern machine learning capability to uncover zero-day strains of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to manage the complete threat progression including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup software providers to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup processes and enable non-disruptive backup and fast recovery of vital files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, human error, malicious employees, or application glitches. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver centralized management and world-class security for your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the on-premises gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that stays within your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to map, track, reconfigure and troubleshoot their connectivity appliances such as routers, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding devices that require important updates, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network operating at peak levels by tracking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that any potential issues can be addressed before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can save up to half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior-based analysis tools to defend endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-matching AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to address the entire threat progression including protection, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Support Center managed services allow your information technology staff to offload Call Center services to Progent or divide activity for support services transparently between your in-house network support staff and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless extension of your corporate network support team. User access to the Service Desk, provision of technical assistance, issue escalation, ticket generation and tracking, efficiency metrics, and maintenance of the support database are consistent whether incidents are resolved by your in-house IT support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective solution for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving information network. In addition to maximizing the security and functionality of your computer environment, Progent's patch management services permit your in-house IT team to concentrate on more strategic projects and activities that deliver the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a protected online account and give your password you are requested to confirm your identity via a unit that only you possess and that uses a different network channel. A wide range of out-of-band devices can be used as this added means of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. For more information about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24-7 Appleton CryptoLocker Repair Support Services, call Progent at 800-462-8800 or go to Contact Progent.