Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses of all sizes unprepared for an assault. Multiple generations of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for years and still inflict harm. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent as yet unnamed malware, not only do encryption of online data files but also infect most available system protection mechanisms. Information synchronized to the cloud can also be ransomed. In a poorly architected data protection solution, this can make automatic restore operations hopeless and basically knocks the datacenter back to zero.

Getting back online services and data after a ransomware intrusion becomes a race against time as the targeted business tries its best to contain the damage and cleanup the ransomware and to resume business-critical activity. Since crypto-ransomware requires time to replicate, assaults are usually sprung on weekends, when successful penetrations typically take more time to notice. This compounds the difficulty of promptly mobilizing and orchestrating a knowledgeable response team.

Progent makes available a variety of services for securing businesses from ransomware attacks. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with AI technology from SentinelOne to identify and suppress day-zero threats intelligently. Progent also can provide the assistance of experienced ransomware recovery engineers with the track record and commitment to restore a breached system as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
Following a ransomware event, paying the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the codes to unencrypt all your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The other path is to re-install the vital components of your IT environment. Without the availability of complete information backups, this calls for a wide complement of skills, professional team management, and the willingness to work 24x7 until the job is complete.

For two decades, Progent has provided certified expert IT services for companies in Philadelphia and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience provides Progent the skills to efficiently determine important systems and integrate the remaining parts of your computer network system after a ransomware event and assemble them into an operational system.

Progent's ransomware team of experts deploys powerful project management applications to orchestrate the complex recovery process. Progent understands the urgency of working rapidly and in unison with a customer's management and IT resources to prioritize tasks and to put essential applications back on line as fast as possible.

Business Case Study: A Successful Ransomware Attack Restoration
A small business escalated to Progent after their organization was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, suspected of adopting approaches leaked from the United States NSA organization. Ryuk goes after specific businesses with little ability to sustain disruption and is among the most profitable iterations of ransomware viruses. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has about 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing processes. Most of the client's data backups had been directly accessible at the start of the intrusion and were damaged. The client was taking steps for paying the ransom demand (exceeding $200,000) and praying for good luck, but ultimately called Progent.


"I can't speak enough about the support Progent provided us during the most stressful time of (our) businesses survival. We most likely would have paid the hackers behind this attack if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and key servers back sooner than seven days was earth shattering. Each expert I got help from or communicated with at Progent was urgently focused on getting our system up and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the most important applications that had to be restored in order to restart departmental functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and cleaning up infected systems. Progent then initiated the work of bringing back online Windows Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Windows AD, and the businesses' MRP system leveraged Microsoft SQL, which needs Active Directory services for security authorization to the databases.

In less than 2 days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery on critical systems. All Exchange ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Outlook Offline Data Files) on various workstations to recover email messages. A not too old offline backup of the customer's accounting/MRP software made it possible to return these required programs back on-line. Although significant work still had to be done to recover fully from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the manufacturing operation showed little impact and we did not miss any customer orders."

During the following few weeks important milestones in the recovery project were made in tight collaboration between Progent team members and the customer:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Exchange Server with over four million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control functions were fully functional.
  • A new Palo Alto Networks 850 firewall was set up.
  • Nearly all of the user desktops and notebooks were being used by staff.

"A lot of what went on in the early hours is nearly entirely a haze for me, but my management will not forget the care each of you put in to help get our company back. I've entrusted Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This time was a stunning achievement."

Conclusion
A probable business-killing disaster was evaded with results-oriented professionals, a broad range of subject matter expertise, and close collaboration. Although in hindsight the ransomware incident described here could have been disabled with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team training, and appropriate incident response procedures for backup and applying software patches, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has proven experience in crypto-ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get rested after we made it through the initial fire. All of you did an incredible job, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Philadelphia a range of online monitoring and security assessment services designed to assist you to reduce your vulnerability to ransomware. These services utilize modern artificial intelligence capability to uncover zero-day strains of crypto-ransomware that can evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to manage the complete malware attack lifecycle including protection, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also help you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup operations and enable transparent backup and rapid recovery of critical files, applications, images, and VMs. ProSight DPS helps your business recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to deliver centralized management and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard managed service combines cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, monitor, optimize and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating complex network management processes, ProSight WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, locating appliances that require important updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your Progent consultant so that any potential issues can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning enhancements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based analysis technology to guard endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a single platform to automate the complete malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Call Center managed services permit your information technology group to outsource Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless supplement to your corporate network support team. User access to the Service Desk, provision of support services, escalation, ticket creation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your core IT support staff, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, applying, and tracking updates to your dynamic information network. In addition to optimizing the protection and reliability of your computer environment, Progent's patch management services permit your in-house IT staff to focus on more strategic projects and activities that deliver maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a protected online account and give your password you are asked to confirm your identity on a unit that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be used as this added form of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may designate several validation devices. To learn more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services.
For Philadelphia 24/7/365 Crypto Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.