Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that presents an extinction-level threat for businesses unprepared for an assault. Different versions of ransomware like the Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and still cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with additional as yet unnamed newcomers, not only do encryption of online files but also infect most accessible system backup. Data replicated to cloud environments can also be rendered useless. In a poorly architected system, this can make any restoration hopeless and basically knocks the entire system back to square one.

Getting back on-line services and information following a ransomware attack becomes a sprint against the clock as the victim fights to stop the spread and cleanup the ransomware and to restore mission-critical operations. Since ransomware needs time to spread, attacks are often sprung at night, when successful penetrations in many cases take more time to notice. This compounds the difficulty of rapidly assembling and organizing a knowledgeable response team.

Progent has an assortment of services for protecting enterprises from ransomware events. Among these are user training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security appliances with artificial intelligence capabilities to rapidly discover and quarantine new cyber attacks. Progent also can provide the services of seasoned ransomware recovery engineers with the skills and commitment to re-deploy a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that criminal gangs will provide the keys to decipher any of your information. Kaspersky Labs determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the mission-critical components of your Information Technology environment. Absent the availability of full information backups, this requires a wide complement of skill sets, well-coordinated team management, and the capability to work continuously until the job is complete.

For decades, Progent has offered certified expert IT services for companies in Buffalo and across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained top certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of experience gives Progent the capability to efficiently identify necessary systems and integrate the surviving components of your computer network environment following a ransomware event and rebuild them into an operational network.

Progent's recovery team of experts has top notch project management applications to orchestrate the complicated recovery process. Progent understands the urgency of working swiftly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put the most important systems back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A client contacted Progent after their network system was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored cybercriminals, suspected of using techniques leaked from Americaís NSA organization. Ryuk attacks specific organizations with limited tolerance for operational disruption and is among the most profitable instances of ransomware viruses. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago and has around 500 workers. The Ryuk penetration had brought down all company operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately called Progent.


"I canít speak enough about the support Progent provided us throughout the most stressful period of (our) businesses life. We would have paid the cyber criminals behind the attack if not for the confidence the Progent experts provided us. That you were able to get our messaging and production applications back online faster than five days was amazing. Every single expert I interacted with or communicated with at Progent was absolutely committed on getting our system up and was working non-stop to bail us out."

Progent worked hand in hand the customer to quickly assess and assign priority to the mission critical applications that had to be recovered to make it possible to resume company operations:

  • Active Directory (AD)
  • Electronic Mail
  • Financials/MRP
To start, Progent adhered to ransomware event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then started the task of recovering Microsoft AD, the heart of enterprise systems built upon Microsoft technology. Exchange email will not work without AD, and the customerís financials and MRP applications leveraged Microsoft SQL, which depends on Windows AD for authentication to the data.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then completed reinstallations and storage recovery of key systems. All Exchange Server schema and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Email Offline Folder Files) on various workstations in order to recover email messages. A recent off-line backup of the businesses financials/ERP systems made them able to recover these vital applications back online for users. Although a large amount of work remained to recover fully from the Ryuk damage, critical systems were returned to operations rapidly:


"For the most part, the production operation never missed a beat and we produced all customer shipments."

During the next few weeks critical milestones in the restoration process were achieved in close cooperation between Progent engineers and the client:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Server with over 4 million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were 100 percent restored.
  • A new Palo Alto 850 security appliance was brought online.
  • Ninety percent of the user desktops were operational.

"A huge amount of what occurred those first few days is nearly entirely a blur for me, but we will not forget the countless hours each and every one of the team accomplished to help get our business back. Iíve been working together with Progent for at least 10 years, possibly more, and every time Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A probable business-killing catastrophe was dodged through the efforts of results-oriented experts, a broad array of technical expertise, and close teamwork. Although in hindsight the ransomware virus penetration described here would have been identified and stopped with up-to-date security systems and recognized best practices, team education, and properly executed incident response procedures for information protection and keeping systems up to date with security patches, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's roster of professionals has substantial experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for letting me get some sleep after we got through the initial push. Everyone did an amazing job, and if any of your team is in the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Buffalo a range of remote monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning technology to uncover zero-day variants of ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and offers a unified platform to automate the entire malware attack lifecycle including protection, detection, containment, remediation, and forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry information security standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent attention. Progent can also help you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup technology companies to produce ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service. ProSight DPS products automate and track your backup processes and allow transparent backup and fast restoration of critical files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss resulting from equipment breakdown, natural disasters, fire, malware like ransomware, user error, ill-intentioned employees, or application glitches. Managed backup services in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security vendors to provide web-based control and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway device provides a further level of inspection for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, optimize and troubleshoot their connectivity hardware like routers, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that require important updates, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the health of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that all looming problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether youíre planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning tools to defend endpoints as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to manage the complete threat progression including filtering, detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Call Desk managed services allow your information technology team to outsource Help Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal network support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts (SBEs). Progent's Co-managed Service Desk provides a smooth extension of your core IT support resources. End user access to the Service Desk, provision of technical assistance, problem escalation, trouble ticket creation and tracking, performance metrics, and management of the service database are cohesive whether incidents are resolved by your corporate network support staff, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a versatile and affordable alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services permit your in-house IT team to focus on more strategic initiatives and tasks that derive maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Google Android, and other personal devices. Using 2FA, when you log into a protected online account and give your password you are asked to verify who you are on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be utilized as this second form of authentication including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate several validation devices. For more information about ProSight Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services for access security.
For Buffalo 24x7 Crypto Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.