Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that presents an extinction-level threat for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware such as Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict harm. Modern versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as frequent unnamed newcomers, not only do encryption of online information but also infiltrate any accessible system restores and backups. Data replicated to cloud environments can also be ransomed. In a poorly architected environment, this can make automated restoration hopeless and effectively knocks the datacenter back to square one.

Recovering programs and data after a ransomware outage becomes a sprint against time as the targeted organization fights to contain the damage and clear the crypto-ransomware and to restore business-critical operations. Since ransomware takes time to replicate, penetrations are usually launched on weekends and holidays, when penetrations typically take longer to uncover. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced mitigation team.

Progent offers a range of services for securing organizations from crypto-ransomware events. Among these are user education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and suppress zero-day cyber attacks quickly. Progent also provides the services of seasoned ransomware recovery consultants with the skills and commitment to rebuild a compromised network as soon as possible.

Progent's Ransomware Restoration Services
After a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the needed codes to unencrypt any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the average crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the key components of your Information Technology environment. Absent the availability of essential system backups, this requires a wide complement of skills, professional team management, and the willingness to work continuously until the recovery project is complete.

For two decades, Progent has offered professional IT services for companies in Seattle and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial systems and ERP applications. This breadth of expertise provides Progent the capability to quickly determine necessary systems and re-organize the remaining parts of your Information Technology environment following a crypto-ransomware penetration and configure them into a functioning network.

Progent's ransomware team of experts utilizes best of breed project management tools to orchestrate the complex recovery process. Progent understands the urgency of working rapidly and in unison with a customer's management and IT team members to prioritize tasks and to put key systems back on line as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Attack Recovery
A customer hired Progent after their company was taken over by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state criminal gangs, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk targets specific companies with limited ability to sustain operational disruption and is among the most lucrative instances of crypto-ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk event had brought down all company operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200K) and praying for good luck, but ultimately utilized Progent.


"I cannot tell you enough in regards to the help Progent provided us during the most stressful time of (our) businesses existence. We had little choice but to pay the hackers behind this attack if it wasn't for the confidence the Progent experts gave us. The fact that you could get our e-mail system and critical servers back online quicker than five days was incredible. Each expert I spoke to or e-mailed at Progent was hell bent on getting us back online and was working at all hours to bail us out."

Progent worked with the client to rapidly get our arms around and assign priority to the mission critical systems that needed to be restored in order to resume company operations:

  • Windows Active Directory
  • Electronic Mail
  • MRP System
To get going, Progent adhered to ransomware event mitigation industry best practices by halting lateral movement and clearing infected systems. Progent then started the process of bringing back online Microsoft AD, the key technology of enterprise systems built on Microsoft Windows technology. Exchange messaging will not work without Windows AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which requires Active Directory for authentication to the databases.

Within 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery of needed applications. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find intact OST files (Outlook Off-Line Data Files) on user desktop computers in order to recover email data. A recent offline backup of the customer's financials/ERP systems made them able to return these essential applications back on-line. Although a large amount of work remained to recover totally from the Ryuk event, the most important services were recovered rapidly:


"For the most part, the production operation showed little impact and we did not miss any customer deliverables."

During the following few weeks key milestones in the recovery project were achieved in tight collaboration between Progent team members and the customer:

  • Internal web applications were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than four million historical emails was brought on-line and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100% operational.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the desktop computers were being used by staff.

"A huge amount of what occurred during the initial response is mostly a fog for me, but my team will not soon forget the countless hours all of you accomplished to give us our company back. I've been working together with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A probable company-ending catastrophe was dodged through the efforts of hard-working experts, a broad range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here should have been disabled with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and properly executed incident response procedures for information protection and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has proven experience in crypto-ransomware virus blocking, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for letting me get rested after we got over the initial fire. All of you did an incredible job, and if any of your team is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Seattle a range of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services include next-generation machine learning capability to uncover new strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the entire threat lifecycle including blocking, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge technologies incorporated within one agent managed from a single console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you demonstrate compliance with government and industry information protection standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup software providers to create ProSight Data Protection Services, a family of offerings that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and fast recovery of vital files, apps, images, and VMs. ProSight DPS helps your business avoid data loss caused by equipment failures, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned insiders, or software bugs. Managed backup services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide web-based control and world-class protection for your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further layer of analysis for inbound email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map, track, optimize and troubleshoot their connectivity appliances such as routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming management activities, WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that require important software patches, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to help keep your network running efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT staff and your Progent consultant so that all looming issues can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as half of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis tools to defend endpoints as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus products. Progent ASM services safeguard on-premises and cloud resources and provides a unified platform to automate the entire malware attack lifecycle including protection, detection, containment, cleanup, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Help Center services permit your information technology staff to offload Call Center services to Progent or split activity for Help Desk services seamlessly between your internal network support group and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless extension of your internal network support team. User interaction with the Service Desk, provision of support, problem escalation, ticket creation and updates, performance metrics, and management of the service database are consistent whether issues are resolved by your internal support group, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your computer environment, Progent's patch management services free up time for your IT team to focus on line-of-business initiatives and activities that deliver maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a protected online account and enter your password you are requested to confirm who you are via a unit that only you possess and that is accessed using a different network channel. A wide selection of devices can be utilized for this second form of ID validation such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may register several verification devices. For details about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of in-depth management reporting tools created to work with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Seattle 24x7 Crypto-Ransomware Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.