Crypto-Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for businesses of all sizes vulnerable to an assault. Different versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and continue to cause havoc. Recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with daily as yet unnamed malware, not only do encryption of on-line data but also infect many configured system backups. Files replicated to the cloud can also be corrupted. In a poorly architected environment, it can render automatic recovery hopeless and basically sets the datacenter back to zero.

Restoring applications and data after a ransomware outage becomes a race against time as the targeted organization tries its best to contain the damage and remove the virus and to resume enterprise-critical activity. Due to the fact that ransomware requires time to replicate, assaults are often launched during nights and weekends, when attacks tend to take more time to uncover. This multiplies the difficulty of rapidly mobilizing and organizing an experienced response team.

Progent provides a variety of solutions for securing businesses from crypto-ransomware attacks. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence capabilities from SentinelOne to detect and suppress zero-day cyber attacks intelligently. Progent also provides the services of expert ransomware recovery engineers with the talent and perseverance to rebuild a compromised network as soon as possible.

Progent's Ransomware Restoration Help
Following a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the keys to unencrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the mission-critical components of your IT environment. Without the availability of complete data backups, this requires a wide complement of IT skills, professional team management, and the willingness to work continuously until the task is completed.

For decades, Progent has offered certified expert Information Technology services for companies in Melbourne and throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience gives Progent the capability to efficiently identify necessary systems and re-organize the surviving pieces of your Information Technology system after a ransomware attack and configure them into a functioning network.

Progent's ransomware team utilizes state-of-the-art project management tools to orchestrate the complex restoration process. Progent appreciates the urgency of working swiftly and in unison with a customer�s management and Information Technology resources to assign priority to tasks and to put critical services back on-line as fast as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A customer contacted Progent after their network was brought down by Ryuk ransomware virus. Ryuk is thought to have been developed by North Korean government sponsored cybercriminals, suspected of using techniques leaked from America�s NSA organization. Ryuk goes after specific businesses with limited tolerance for operational disruption and is among the most profitable instances of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer located in the Chicago metro area with around 500 employees. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's data protection had been online at the start of the attack and were destroyed. The client was evaluating paying the ransom (in excess of $200K) and wishfully thinking for good luck, but ultimately called Progent.


"I can�t say enough in regards to the care Progent provided us during the most critical period of (our) businesses survival. We had little choice but to pay the cybercriminals if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and production servers back sooner than a week was amazing. Every single expert I talked with or messaged at Progent was urgently focused on getting us operational and was working day and night on our behalf."

Progent worked together with the client to rapidly determine and assign priority to the mission critical elements that needed to be restored in order to continue company operations:

  • Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus incident mitigation industry best practices by halting lateral movement and performing virus removal steps. Progent then began the process of recovering Active Directory, the heart of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the client's financials and MRP applications utilized SQL Server, which requires Windows AD for security authorization to the database.

Within two days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery on needed servers. All Microsoft Exchange Server ties and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to collect local OST files (Outlook Email Offline Folder Files) on team workstations and laptops to recover email messages. A recent offline backup of the client's accounting systems made them able to restore these essential services back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk virus, critical services were returned to operations rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we made all customer orders."

Over the next couple of weeks key milestones in the restoration process were achieved in tight collaboration between Progent team members and the customer:

  • In-house web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100 percent restored.
  • A new Palo Alto 850 security appliance was installed.
  • 90% of the desktops and laptops were back into operation.

"A lot of what went on in the initial days is nearly entirely a haze for me, but my team will not soon forget the countless hours each and every one of you accomplished to help get our business back. I�ve entrusted Progent for at least 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A probable business catastrophe was averted by results-oriented experts, a wide range of subject matter expertise, and close teamwork. Although in retrospect the ransomware attack described here could have been disabled with advanced cyber security solutions and security best practices, user training, and appropriate security procedures for information protection and applying software patches, the reality is that government-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, mitigation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for allowing me to get some sleep after we made it over the initial push. Everyone did an amazing effort, and if any of your guys is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Melbourne a portfolio of online monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to uncover new variants of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and offers a unified platform to manage the complete threat progression including protection, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for urgent attention. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and enable non-disruptive backup and rapid restoration of critical files/folders, applications, system images, and virtual machines. ProSight DPS helps your business protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious employees, or application bugs. Managed backup services in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to deliver web-based control and comprehensive protection for all your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of analysis for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, track, reconfigure and debug their networking appliances such as routers, firewalls, and wireless controllers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and sends notices when problems are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require important software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT management personnel and your assigned Progent consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and organizing your network documentation, you can save up to half of time thrown away trying to find vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based analysis tools to guard endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV tools. Progent ASM services protect on-premises and cloud resources and provides a unified platform to automate the complete threat progression including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Support Desk services permit your IT group to offload Help Desk services to Progent or split activity for support services transparently between your in-house support team and Progent's nationwide pool of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth extension of your in-house network support group. Client access to the Service Desk, provision of support, escalation, trouble ticket generation and tracking, efficiency measurement, and maintenance of the service database are consistent regardless of whether issues are resolved by your core IT support resources, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a versatile and affordable solution for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. In addition to optimizing the protection and reliability of your computer environment, Progent's software/firmware update management services free up time for your IT team to concentrate on more strategic projects and tasks that deliver maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you sign into a protected application and enter your password you are asked to verify your identity via a device that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be utilized for this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register multiple validation devices. To learn more about ProSight Duo identity authentication services, visit Duo MFA two-factor authentication services for access security.
For Melbourne 24x7x365 Crypto-Ransomware Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.