Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware such as Dharma, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus additional unnamed malware, not only do encryption of online data but also infect any accessible system backups. Files synchronized to the cloud can also be corrupted. In a poorly architected environment, it can make automated recovery impossible and effectively sets the datacenter back to zero.

Getting back on-line services and information following a ransomware outage becomes a sprint against the clock as the targeted organization fights to stop the spread and clear the ransomware and to resume mission-critical operations. Due to the fact that ransomware takes time to spread, assaults are often launched during nights and weekends, when attacks are likely to take longer to identify. This multiplies the difficulty of promptly marshalling and orchestrating a qualified response team.

Progent offers an assortment of support services for protecting organizations from crypto-ransomware events. Among these are staff education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with artificial intelligence capabilities to intelligently discover and suppress new threats. Progent also can provide the services of veteran ransomware recovery consultants with the talent and commitment to rebuild a compromised network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the codes to unencrypt all your information. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the key components of your Information Technology environment. Without the availability of essential system backups, this calls for a broad range of skill sets, well-coordinated project management, and the ability to work continuously until the job is finished.

For two decades, Progent has provided expert IT services for businesses in Melbourne and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience gives Progent the capability to knowledgably determine important systems and organize the surviving pieces of your IT system following a ransomware attack and assemble them into an operational network.

Progent's recovery team utilizes state-of-the-art project management tools to orchestrate the complicated restoration process. Progent knows the urgency of working rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to put the most important services back on-line as soon as humanly possible.

Case Study: A Successful Ransomware Intrusion Recovery
A customer engaged Progent after their organization was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored criminal gangs, possibly using technology leaked from the U.S. NSA organization. Ryuk seeks specific businesses with little tolerance for operational disruption and is among the most lucrative versions of crypto-ransomware. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for the best, but ultimately engaged Progent.


"I canít say enough about the help Progent gave us throughout the most stressful period of (our) companyís life. We may have had to pay the cyber criminals except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and critical servers back on-line sooner than 1 week was beyond my wildest dreams. Every single expert I talked with or messaged at Progent was absolutely committed on getting us back online and was working day and night to bail us out."

Progent worked with the customer to quickly assess and prioritize the key areas that had to be restored in order to continue business functions:

  • Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes penetration response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then started the steps of restoring Active Directory, the heart of enterprise systems built on Microsoft Windows technology. Exchange messaging will not work without Active Directory, and the client's accounting and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory for authentication to the databases.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery of essential applications. All Exchange data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate intact OST data files (Outlook Email Off-Line Folder Files) on team desktop computers and laptops in order to recover email information. A recent offline backup of the businesses accounting software made it possible to restore these essential applications back on-line. Although a lot of work still had to be done to recover totally from the Ryuk damage, critical systems were restored rapidly:


"For the most part, the production operation ran fairly normal throughout and we delivered all customer deliverables."

Throughout the following few weeks important milestones in the recovery project were completed in tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Server containing more than four million historical messages was restored to operations and available for users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control capabilities were fully functional.
  • A new Palo Alto 850 firewall was installed.
  • Nearly all of the user desktops and notebooks were operational.

"Much of what happened that first week is mostly a fog for me, but I will not soon forget the commitment all of your team accomplished to give us our business back. I have utilized Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable enterprise-killing catastrophe was avoided through the efforts of dedicated experts, a broad array of subject matter expertise, and close teamwork. Although upon completion of forensics the ransomware incident detailed here would have been shut down with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and properly executed security procedures for data backup and proper patching controls, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of experts has extensive experience in ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for letting me get rested after we got through the most critical parts. Everyone did an incredible job, and if anyone is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Melbourne a portfolio of online monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services include next-generation machine learning technology to uncover new strains of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes next generation behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus products. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the entire threat progression including protection, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can assist your business to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate action. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and allow transparent backup and rapid recovery of important files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to deliver centralized management and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a further layer of inspection for inbound email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, track, reconfigure and debug their connectivity appliances like routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when problems are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off ordinary chores like network mapping, expanding your network, locating appliances that require critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your assigned Progent engineering consultant so that any potential issues can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can save as much as half of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether youíre making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning tools to guard endpoint devices and servers and VMs against new malware attacks such as ransomware and email phishing, which easily evade legacy signature-based anti-virus products. Progent ASM services protect local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Call Center Managed Services
    Progent's Help Desk managed services enable your information technology team to offload Help Desk services to Progent or split activity for Help Desk services transparently between your in-house support resources and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent extension of your internal support staff. End user access to the Help Desk, provision of technical assistance, problem escalation, ticket creation and updates, performance metrics, and maintenance of the service database are consistent whether incidents are resolved by your core IT support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Service Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving IT system. Besides maximizing the protection and reliability of your IT network, Progent's software/firmware update management services allow your IT team to concentrate on more strategic initiatives and tasks that derive maximum business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected application and give your password you are requested to verify who you are via a device that only you possess and that uses a separate network channel. A broad selection of devices can be utilized as this added form of authentication including a smartphone or wearable, a hardware token, a landline phone, etc. You may designate several verification devices. To find out more about ProSight Duo identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For 24-7 Melbourne Ransomware Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.