Crypto-Ransomware : Your Crippling Information Technology Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily unnamed malware, not only do encryption of on-line data files but also infect many accessible system backup. Files synchronized to cloud environments can also be rendered useless. In a poorly architected data protection solution, this can render automated restoration hopeless and basically sets the entire system back to zero.

Getting back online programs and data after a ransomware intrusion becomes a sprint against the clock as the targeted organization fights to contain and cleanup the ransomware and to restore business-critical operations. Since crypto-ransomware requires time to replicate, assaults are often sprung during weekends and nights, when attacks in many cases take more time to identify. This multiplies the difficulty of promptly assembling and orchestrating an experienced mitigation team.

Progent makes available a range of solutions for protecting businesses from ransomware events. These include team member education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with machine learning technology from SentinelOne to identify and extinguish new threats rapidly. Progent in addition offers the assistance of experienced crypto-ransomware recovery engineers with the talent and perseverance to rebuild a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a ransomware event, sending the ransom in cryptocurrency does not ensure that criminal gangs will provide the codes to decrypt all your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Absent access to complete data backups, this calls for a wide complement of IT skills, top notch team management, and the ability to work 24x7 until the task is complete.

For two decades, Progent has provided professional Information Technology services for companies in Lima and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have earned top certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security engineers have earned internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably determine necessary systems and integrate the remaining components of your computer network environment after a ransomware penetration and configure them into an operational system.

Progent's recovery team of experts deploys powerful project management systems to orchestrate the sophisticated recovery process. Progent appreciates the importance of working swiftly and in concert with a client's management and IT resources to assign priority to tasks and to put critical services back online as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A customer engaged Progent after their company was brought down by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean government sponsored hackers, possibly using techniques leaked from America�s NSA organization. Ryuk seeks specific companies with limited room for disruption and is one of the most lucrative versions of ransomware viruses. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area and has around 500 workers. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been online at the start of the intrusion and were damaged. The client was taking steps for paying the ransom demand (in excess of $200K) and hoping for the best, but in the end called Progent.


"I can�t tell you enough in regards to the care Progent gave us throughout the most critical time of (our) businesses existence. We may have had to pay the cyber criminals if not for the confidence the Progent group provided us. That you were able to get our e-mail system and essential applications back into operation quicker than seven days was something I thought impossible. Every single person I worked with or e-mailed at Progent was hell bent on getting us restored and was working day and night to bail us out."

Progent worked hand in hand the client to quickly get our arms around and prioritize the essential elements that needed to be addressed to make it possible to resume departmental functions:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent adhered to Anti-virus event response best practices by isolating and cleaning up infected systems. Progent then started the work of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Exchange email will not work without Active Directory, and the businesses� financials and MRP system utilized SQL Server, which depends on Windows AD for access to the databases.

Within 48 hours, Progent was able to recover Active Directory to its pre-penetration state. Progent then charged ahead with reinstallations and hard drive recovery on the most important servers. All Exchange Server ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Offline Data Files) on staff desktop computers and laptops in order to recover mail messages. A recent off-line backup of the customer�s financials/ERP systems made them able to recover these essential applications back online. Although a lot of work remained to recover fully from the Ryuk virus, the most important systems were returned to operations quickly:


"For the most part, the assembly line operation did not miss a beat and we produced all customer sales."

Over the next few weeks important milestones in the restoration process were achieved through close collaboration between Progent consultants and the client:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Exchange Server exceeding four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory modules were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was set up.
  • Ninety percent of the user desktops were back into operation.

"Much of what occurred in the initial days is mostly a blur for me, but we will not soon forget the urgency each of you accomplished to give us our company back. I�ve utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A likely company-ending catastrophe was dodged by top-tier professionals, a wide array of IT skills, and tight teamwork. Although in retrospect the ransomware virus penetration detailed here could have been blocked with current security technology solutions and recognized best practices, staff education, and appropriate incident response procedures for data protection and applying software patches, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, remember that Progent's team of experts has extensive experience in ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for allowing me to get some sleep after we made it past the initial fire. All of you did an impressive effort, and if any of your guys is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Lima a range of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence technology to detect zero-day strains of ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the complete threat progression including blocking, identification, mitigation, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent action. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and fast restoration of critical files/folders, applications, system images, and VMs. ProSight DPS lets you recover from data loss caused by equipment failures, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or application glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to deliver centralized control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of inspection for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and debug their networking appliances like routers, firewalls, and load balancers as well as servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are always current, captures and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when issues are detected. By automating complex network management processes, WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, finding devices that require important software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses advanced remote monitoring and management technology to help keep your IT system operating at peak levels by tracking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT personnel and your Progent engineering consultant so any potential issues can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard data about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether youre making improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching AV tools. Progent ASM services safeguard local and cloud-based resources and offers a single platform to automate the entire threat progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Support Desk services permit your information technology group to outsource Call Center services to Progent or divide responsibilities for Service Desk support seamlessly between your internal support resources and Progent's extensive roster of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth supplement to your core IT support resources. End user access to the Service Desk, delivery of support, issue escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are cohesive regardless of whether incidents are taken care of by your core network support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and reliability of your IT network, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and tasks that derive maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a secured application and enter your password you are asked to confirm your identity on a unit that only you possess and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized as this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple verification devices. To find out more about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.
For Lima 24-Hour Crypto-Ransomware Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.