Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses vulnerable to an assault. Versions of ransomware like the CryptoLocker, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict damage. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with daily as yet unnamed malware, not only encrypt online data but also infiltrate most accessible system protection. Data synchronized to cloud environments can also be corrupted. In a poorly designed data protection solution, this can make automated restore operations impossible and basically knocks the entire system back to square one.

Getting back programs and information following a ransomware intrusion becomes a race against the clock as the targeted business struggles to contain and cleanup the ransomware and to restore enterprise-critical operations. Since ransomware takes time to replicate, penetrations are often sprung during weekends and nights, when penetrations in many cases take longer to notice. This compounds the difficulty of promptly marshalling and orchestrating a qualified response team.

Progent provides an assortment of services for securing organizations from crypto-ransomware attacks. These include team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security solutions with AI technology from SentinelOne to discover and disable day-zero threats intelligently. Progent in addition offers the assistance of seasoned ransomware recovery consultants with the skills and perseverance to rebuild a compromised environment as quickly as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware attack, sending the ransom in cryptocurrency does not guarantee that merciless criminals will return the needed keys to unencrypt all your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the mission-critical elements of your Information Technology environment. Absent the availability of complete system backups, this calls for a wide range of IT skills, top notch project management, and the capability to work 24x7 until the task is over.

For twenty years, Progent has provided expert Information Technology services for companies in St. Louis and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned top certifications in leading technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise affords Progent the capability to quickly determine necessary systems and consolidate the surviving components of your computer network environment after a crypto-ransomware event and assemble them into a functioning system.

Progent's ransomware team utilizes state-of-the-art project management applications to orchestrate the sophisticated recovery process. Progent understands the urgency of acting quickly and together with a client's management and Information Technology staff to prioritize tasks and to put the most important services back on line as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Restoration
A small business escalated to Progent after their company was brought down by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, possibly using algorithms exposed from America's NSA organization. Ryuk targets specific organizations with limited room for operational disruption and is one of the most profitable versions of ransomware malware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's information backups had been online at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately engaged Progent.


"I can't thank you enough in regards to the help Progent gave us during the most stressful period of (our) businesses existence. We had little choice but to pay the Hackers except for the confidence the Progent team provided us. That you were able to get our e-mail system and essential servers back online quicker than five days was beyond my wildest dreams. Every single consultant I interacted with or messaged at Progent was hell bent on getting my company operational and was working non-stop to bail us out."

Progent worked together with the client to rapidly understand and assign priority to the essential systems that had to be restored in order to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes penetration mitigation best practices by isolating and disinfecting systems. Progent then initiated the process of restoring Microsoft AD, the foundation of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the client's MRP system used Microsoft SQL Server, which depends on Windows AD for access to the database.

Within two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then helped perform rebuilding and hard drive recovery of needed servers. All Exchange ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Microsoft Outlook Off-Line Folder Files) on user workstations and laptops to recover mail information. A recent off-line backup of the customer's accounting software made them able to restore these essential programs back available to users. Although a lot of work was left to recover totally from the Ryuk attack, critical systems were recovered quickly:


"For the most part, the assembly line operation never missed a beat and we made all customer sales."

Over the following few weeks key milestones in the restoration project were completed through tight collaboration between Progent consultants and the customer:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were 100% restored.
  • A new Palo Alto Networks 850 firewall was set up.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"A lot of what transpired in the initial days is nearly entirely a blur for me, but our team will not forget the dedication each of you put in to give us our company back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A potential business-ending catastrophe was dodged due to dedicated experts, a wide array of technical expertise, and tight teamwork. Although in hindsight the crypto-ransomware virus attack detailed here should have been disabled with current security technology and security best practices, team training, and well designed security procedures for data protection and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for making it so I could get rested after we got past the most critical parts. All of you did an impressive job, and if any of your team is around the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in St. Louis a variety of remote monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to automate the entire malware attack lifecycle including blocking, detection, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also help your company to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software companies to create ProSight Data Protection Services, a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and allow non-disruptive backup and rapid restoration of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, user error, ill-intentioned insiders, or application glitches. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver web-based control and comprehensive protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter serves as a first line of defense and blocks most threats from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the local security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map out, monitor, enhance and troubleshoot their networking hardware like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and displays the configuration of almost all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that require important updates, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT management staff and your Progent consultant so all looming problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and safeguard information about your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based machine learning tools to guard endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. Progent ASM services safeguard local and cloud resources and offers a single platform to automate the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Support Desk managed services permit your IT staff to offload Help Desk services to Progent or split activity for Service Desk support transparently between your internal support resources and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a seamless extension of your core support team. Client access to the Help Desk, provision of technical assistance, problem escalation, trouble ticket creation and tracking, performance metrics, and management of the support database are consistent whether issues are taken care of by your core support group, by Progent's team, or both. Find out more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a flexible and affordable alternative for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving IT network. In addition to maximizing the security and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT team to concentrate on line-of-business initiatives and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are asked to verify your identity via a device that only you possess and that uses a different ("out-of-band") network channel. A broad range of devices can be utilized for this added form of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate several validation devices. For details about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time management reporting tools designed to integrate with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 St. Louis Crypto Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.