Crypto-Ransomware : Your Feared IT Disaster
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that poses an existential threat for businesses poorly prepared for an attack. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and still inflict destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with more unnamed malware, not only do encryption of online data but also infect many available system protection. Files synchronized to the cloud can also be corrupted. In a vulnerable system, it can make any restore operations impossible and basically knocks the network back to zero.

Getting back on-line programs and information after a crypto-ransomware attack becomes a sprint against the clock as the targeted business tries its best to contain the damage and remove the virus and to resume enterprise-critical operations. Due to the fact that crypto-ransomware requires time to spread, attacks are often launched during nights and weekends, when attacks are likely to take longer to detect. This compounds the difficulty of rapidly marshalling and orchestrating a qualified mitigation team.

Progent provides an assortment of solutions for protecting organizations from crypto-ransomware penetrations. These include user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with AI capabilities from SentinelOne to detect and quarantine zero-day threats rapidly. Progent in addition can provide the services of expert crypto-ransomware recovery consultants with the skills and perseverance to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will return the needed keys to decrypt all your information. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the vital elements of your Information Technology environment. Without access to essential information backups, this calls for a wide range of skills, top notch project management, and the ability to work non-stop until the recovery project is finished.

For twenty years, Progent has offered professional IT services for businesses in Philadelphia and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP applications. This breadth of expertise affords Progent the ability to efficiently understand important systems and integrate the surviving components of your network environment after a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts utilizes state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent knows the importance of working quickly and in concert with a client's management and IT team members to prioritize tasks and to get the most important services back online as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Response
A client sought out Progent after their company was penetrated by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored cybercriminals, suspected of adopting algorithms exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little tolerance for disruption and is among the most profitable examples of ransomware malware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago and has about 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.


"I cannot thank you enough about the expertise Progent provided us throughout the most stressful time of (our) companyÔŅĹs survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and critical servers back in less than 1 week was beyond my wildest dreams. Each person I interacted with or e-mailed at Progent was amazingly focused on getting us back on-line and was working breakneck pace to bail us out."

Progent worked with the customer to rapidly get our arms around and assign priority to the key services that needed to be recovered in order to restart company functions:

  • Microsoft Active Directory
  • Exchange Server
  • Financials/MRP
To get going, Progent adhered to Anti-virus event response industry best practices by halting lateral movement and clearing up compromised systems. Progent then started the work of recovering Microsoft AD, the heart of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not function without Active Directory, and the client's accounting and MRP applications used Microsoft SQL, which requires Windows AD for access to the databases.

In less than 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then performed rebuilding and storage recovery of critical servers. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Off-Line Folder Files) on user workstations and laptops in order to recover mail messages. A recent off-line backup of the client's financials/MRP software made it possible to return these required applications back online. Although a lot of work needed to be completed to recover completely from the Ryuk virus, essential services were restored rapidly:


"For the most part, the manufacturing operation showed little impact and we did not miss any customer sales."

During the next couple of weeks critical milestones in the recovery project were completed through close cooperation between Progent team members and the customer:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Server containing more than four million archived emails was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were completely restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the desktop computers were being used by staff.

"So much of what happened in the early hours is nearly entirely a haze for me, but our team will not soon forget the dedication all of your team accomplished to help get our business back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A likely enterprise-killing catastrophe was avoided through the efforts of hard-working experts, a wide array of knowledge, and tight teamwork. Although in post mortem the ransomware virus penetration detailed here would have been shut down with current cyber security technology and best practices, team education, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware virus, remember that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for letting me get some sleep after we got through the initial push. All of you did an fabulous job, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Philadelphia a portfolio of remote monitoring and security evaluation services designed to assist you to reduce the threat from crypto-ransomware. These services incorporate next-generation AI technology to detect new variants of crypto-ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the entire threat progression including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a single control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with government and industry data security regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent's consultants can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and enable non-disruptive backup and fast recovery of vital files/folders, applications, system images, plus VMs. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural disasters, fire, malware such as ransomware, human error, ill-intentioned insiders, or software bugs. Managed services available in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security vendors to provide web-based management and comprehensive protection for all your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, enhance and troubleshoot their networking hardware like switches, firewalls, and access points as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating complex management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your designated IT management staff and your Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to a different hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save up to half of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether youíre making improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning tools to guard endpoints and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to manage the entire threat progression including filtering, detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against new attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Support Desk managed services allow your IT group to outsource Help Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support resources and Progent's nationwide pool of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a seamless supplement to your core support team. End user access to the Service Desk, provision of support, issue escalation, ticket generation and tracking, performance metrics, and maintenance of the service database are cohesive whether issues are resolved by your core IT support staff, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving information network. In addition to optimizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business projects and tasks that deliver maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a protected application and enter your password you are requested to confirm your identity via a device that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be used for this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. To learn more about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.
For 24-Hour Philadelphia Crypto Remediation Consultants, contact Progent at 800-462-8800 or go to Contact Progent.