Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for organizations unprepared for an assault. Multiple generations of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and continue to inflict damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with frequent as yet unnamed viruses, not only encrypt on-line information but also infect most configured system protection mechanisms. Data synchronized to the cloud can also be ransomed. In a vulnerable data protection solution, this can render any restoration impossible and effectively sets the datacenter back to zero.

Recovering services and data after a ransomware outage becomes a sprint against time as the targeted business fights to stop lateral movement and clear the crypto-ransomware and to resume business-critical activity. Since ransomware needs time to spread, attacks are frequently sprung during nights and weekends, when successful penetrations typically take more time to uncover. This compounds the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent provides an assortment of help services for securing organizations from crypto-ransomware attacks. These include team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with machine learning technology from SentinelOne to discover and quarantine zero-day cyber threats rapidly. Progent also offers the assistance of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a breached environment as soon as possible.

Progent's Ransomware Restoration Services
Following a ransomware event, sending the ransom in cryptocurrency does not guarantee that distant criminals will respond with the keys to unencrypt all your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to re-install the mission-critical components of your IT environment. Absent the availability of essential information backups, this calls for a broad complement of skill sets, well-coordinated project management, and the capability to work continuously until the task is finished.

For twenty years, Progent has provided professional IT services for companies in Buffalo and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of expertise affords Progent the skills to efficiently determine critical systems and consolidate the remaining components of your IT environment after a crypto-ransomware attack and rebuild them into an operational system.

Progent's ransomware group has best of breed project management systems to orchestrate the complicated restoration process. Progent understands the urgency of working quickly and together with a client's management and Information Technology resources to prioritize tasks and to put essential services back online as soon as possible.

Client Story: A Successful Ransomware Incident Response
A small business hired Progent after their network system was crashed by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state hackers, possibly adopting algorithms leaked from America's NSA organization. Ryuk targets specific businesses with limited room for disruption and is among the most lucrative incarnations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area and has around 500 workers. The Ryuk attack had frozen all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and hoping for the best, but in the end engaged Progent.


"I cannot thank you enough in regards to the expertise Progent provided us throughout the most critical period of (our) company's existence. We would have paid the Hackers if not for the confidence the Progent experts provided us. That you could get our e-mail system and critical servers back quicker than one week was amazing. Each expert I talked with or e-mailed at Progent was absolutely committed on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly assess and assign priority to the most important applications that needed to be addressed to make it possible to continue departmental operations:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware event mitigation best practices by stopping lateral movement and removing active viruses. Progent then initiated the steps of recovering Active Directory, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the businesses' accounting and MRP applications used Microsoft SQL Server, which depends on Active Directory for authentication to the information.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then helped perform setup and storage recovery on the most important systems. All Exchange ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to find intact OST files (Outlook Off-Line Data Files) on various desktop computers and laptops in order to recover mail information. A not too old offline backup of the client's accounting/MRP software made them able to return these essential applications back on-line. Although major work was left to recover fully from the Ryuk damage, core systems were returned to operations rapidly:


"For the most part, the production manufacturing operation was never shut down and we delivered all customer orders."

During the following month key milestones in the recovery process were completed through close cooperation between Progent consultants and the customer:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server exceeding 4 million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory Control modules were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Ninety percent of the user desktops and notebooks were fully operational.

"So much of what transpired that first week is mostly a haze for me, but my team will not soon forget the commitment each of the team put in to help get our company back. I have utilized Progent for the past ten years, possibly more, and each time Progent has shined and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A potential business-killing catastrophe was avoided with dedicated professionals, a broad array of technical expertise, and tight teamwork. Although in hindsight the ransomware incident described here would have been identified and blocked with modern security systems and NIST Cybersecurity Framework best practices, user education, and appropriate incident response procedures for backup and proper patching controls, the fact is that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were contributing), thanks very much for letting me get rested after we got past the initial push. Everyone did an incredible effort, and if any of your guys is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Buffalo a range of online monitoring and security assessment services to help you to reduce the threat from crypto-ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day strains of ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to manage the entire malware attack progression including protection, identification, containment, cleanup, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering via leading-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization experts can assist you to plan and configure a ProSight ESP environment that meets your organization's specific needs and that helps you demonstrate compliance with legal and industry data protection standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology providers to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services automate and monitor your backup processes and allow transparent backup and fast recovery of vital files, applications, images, plus VMs. ProSight DPS lets you recover from data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, user error, malicious employees, or application glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to deliver web-based control and world-class security for your email traffic. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a preliminary barricade and keeps most threats from reaching your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, optimize and debug their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration of virtually all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating devices that require important software patches, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your network running efficiently by tracking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT staff and your Progent engineering consultant so any looming problems can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported easily to a different hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior analysis tools to guard endpoints and servers and VMs against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-based anti-virus products. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to automate the entire threat lifecycle including filtering, identification, containment, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Support Desk managed services enable your information technology staff to outsource Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your internal network support resources and Progent's extensive pool of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless supplement to your internal IT support resources. End user access to the Help Desk, delivery of technical assistance, escalation, ticket generation and updates, performance metrics, and management of the service database are cohesive regardless of whether issues are resolved by your internal network support resources, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of all sizes a versatile and affordable solution for assessing, validating, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. Besides optimizing the security and reliability of your computer environment, Progent's patch management services allow your IT staff to concentrate on more strategic initiatives and tasks that derive maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Android, and other personal devices. Using 2FA, when you sign into a secured online account and enter your password you are requested to confirm who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second means of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You can designate several validation devices. To find out more about Duo identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Buffalo 24/7/365 CryptoLocker Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.