Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an extinction-level danger for organizations unprepared for an assault. Different versions of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict damage. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with daily unnamed newcomers, not only do encryption of online data files but also infiltrate all accessible system protection. Data synched to cloud environments can also be rendered useless. In a vulnerable system, it can render automatic restore operations useless and effectively sets the datacenter back to zero.

Restoring services and information after a crypto-ransomware event becomes a sprint against time as the victim struggles to stop the spread and remove the crypto-ransomware and to restore business-critical operations. Because ransomware takes time to spread, penetrations are often sprung at night, when penetrations in many cases take more time to recognize. This multiplies the difficulty of quickly assembling and organizing a capable mitigation team.

Progent has a range of services for securing enterprises from ransomware attacks. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with artificial intelligence capabilities from SentinelOne to identify and suppress day-zero threats automatically. Progent also provides the assistance of veteran crypto-ransomware recovery engineers with the talent and perseverance to restore a compromised network as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Soon after a ransomware event, even paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed keys to decrypt any or all of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the essential components of your IT environment. Without the availability of essential information backups, this requires a wide complement of IT skills, professional project management, and the willingness to work 24x7 until the recovery project is completed.

For two decades, Progent has provided expert Information Technology services for businesses in San Bernardino and across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP applications. This breadth of experience provides Progent the capability to rapidly understand necessary systems and integrate the surviving components of your Information Technology environment following a crypto-ransomware attack and configure them into an operational system.

Progent's recovery group utilizes powerful project management applications to coordinate the complex recovery process. Progent knows the urgency of acting quickly and in concert with a customer's management and Information Technology staff to prioritize tasks and to get the most important applications back online as soon as humanly possible.

Client Case Study: A Successful Ransomware Virus Recovery
A small business contacted Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by North Korean state hackers, suspected of adopting technology exposed from America's National Security Agency. Ryuk goes after specific companies with little or no ability to sustain disruption and is one of the most profitable versions of crypto-ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago and has around 500 staff members. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but ultimately engaged Progent.


"I cannot thank you enough in regards to the help Progent provided us throughout the most fearful period of (our) businesses life. We would have paid the hackers behind this attack if not for the confidence the Progent team afforded us. That you were able to get our e-mail system and critical servers back on-line quicker than a week was incredible. Each consultant I spoke to or e-mailed at Progent was amazingly focused on getting us back online and was working day and night on our behalf."

Progent worked with the customer to quickly assess and prioritize the key applications that had to be addressed to make it possible to continue departmental operations:

  • Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus incident response industry best practices by halting the spread and cleaning systems of viruses. Progent then began the work of recovering Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange email will not function without AD, and the businesses' financials and MRP software utilized Microsoft SQL, which depends on Active Directory for security authorization to the databases.

Within two days, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then helped perform setup and hard drive recovery of essential systems. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to find non-encrypted OST data files (Outlook Off-Line Data Files) on various PCs and laptops to recover email messages. A not too old offline backup of the businesses accounting software made it possible to return these essential programs back online. Although significant work still had to be done to recover completely from the Ryuk virus, the most important services were recovered rapidly:


"For the most part, the production operation never missed a beat and we delivered all customer sales."

Over the following month important milestones in the recovery project were made through tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Server exceeding four million archived messages was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory functions were fully restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Most of the desktop computers were fully operational.

"Much of what was accomplished in the initial days is nearly entirely a fog for me, but my management will not soon forget the dedication all of your team accomplished to give us our business back. I've trusted Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered. This situation was a stunning achievement."

Conclusion
A likely business-ending disaster was evaded due to hard-working experts, a broad spectrum of IT skills, and tight collaboration. Although in retrospect the ransomware attack described here should have been identified and disabled with up-to-date cyber security technology solutions and NIST Cybersecurity Framework best practices, staff training, and well thought out security procedures for information protection and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of experts has extensive experience in ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I'm grateful for letting me get rested after we made it past the most critical parts. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in San Bernardino a range of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services utilize modern AI capability to uncover zero-day strains of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to address the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that addresses your organization's specific needs and that allows you prove compliance with government and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow transparent backup and rapid restoration of important files/folders, apps, system images, and virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, user mistakes, malicious employees, or software bugs. Managed services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to deliver centralized management and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard integrates a Cloud Protection Layer with a local gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks most threats from reaching your network firewall. This decreases your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper layer of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, optimize and debug their connectivity appliances such as routers, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always current, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, locating devices that require important updates, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to keep your network running efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT personnel and your assigned Progent consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported immediately to a different hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate up to half of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning technology to defend endpoints and servers and VMs against new malware assaults like ransomware and email phishing, which easily get by traditional signature-matching anti-virus products. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to address the complete threat lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Desk: Help Desk Managed Services
    Progent's Support Center services permit your IT group to offload Call Center services to Progent or split activity for Help Desk services seamlessly between your in-house support team and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a smooth extension of your corporate support team. Client interaction with the Service Desk, delivery of support, problem escalation, ticket generation and updates, performance measurement, and maintenance of the service database are cohesive regardless of whether issues are resolved by your corporate network support group, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a flexible and cost-effective solution for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. In addition to maximizing the security and functionality of your computer environment, Progent's software/firmware update management services allow your in-house IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Android, and other personal devices. Using 2FA, whenever you sign into a secured online account and enter your password you are asked to verify your identity via a device that only you possess and that uses a separate network channel. A wide range of devices can be used as this added form of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may register multiple verification devices. To find out more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time and in-depth reporting plug-ins designed to integrate with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like spotty support follow-up or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For San Bernardino 24/7 Crypto Cleanup Help, contact Progent at 800-462-8800 or go to Contact Progent.