Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that represents an existential threat for organizations poorly prepared for an assault. Different iterations of crypto-ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to inflict harm. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with frequent as yet unnamed newcomers, not only do encryption of on-line data files but also infiltrate all configured system protection. Information synchronized to the cloud can also be rendered useless. In a poorly architected data protection solution, this can render automated restore operations hopeless and effectively sets the datacenter back to square one.

Retrieving services and data following a ransomware event becomes a sprint against the clock as the targeted business tries its best to contain and eradicate the ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to spread, assaults are often sprung on weekends and holidays, when successful penetrations tend to take more time to identify. This multiplies the difficulty of promptly assembling and orchestrating an experienced response team.

Progent offers a variety of solutions for protecting enterprises from ransomware attacks. Among these are staff training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with artificial intelligence technology from SentinelOne to identify and suppress new threats rapidly. Progent also provides the assistance of seasoned ransomware recovery engineers with the talent and perseverance to restore a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will respond with the needed codes to decrypt any of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the key elements of your Information Technology environment. Without the availability of full information backups, this requires a wide complement of skills, well-coordinated project management, and the willingness to work non-stop until the job is finished.

For decades, Progent has provided professional Information Technology services for businesses in Austin and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have been awarded high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the ability to quickly identify critical systems and re-organize the remaining components of your IT environment following a ransomware attack and assemble them into a functioning network.

Progent's security team deploys state-of-the-art project management tools to coordinate the complicated recovery process. Progent appreciates the importance of working rapidly and in unison with a customer's management and IT resources to prioritize tasks and to get critical systems back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Incident Recovery
A customer contacted Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean government sponsored criminal gangs, suspected of adopting algorithms leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little or no room for disruption and is among the most profitable instances of ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area with around 500 workers. The Ryuk attack had shut down all company operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the attack and were encrypted. The client was pursuing financing for paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot thank you enough about the expertise Progent gave us during the most fearful time of (our) company's life. We most likely would have paid the criminal gangs except for the confidence the Progent group afforded us. That you were able to get our e-mail system and critical applications back into operation sooner than five days was earth shattering. Every single staff member I interacted with or communicated with at Progent was laser focused on getting us operational and was working day and night on our behalf."

Progent worked hand in hand the customer to rapidly assess and assign priority to the mission critical systems that needed to be recovered to make it possible to restart departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by stopping the spread and disinfecting systems. Progent then initiated the steps of bringing back online Windows Active Directory, the key technology of enterprise environments built on Microsoft technology. Exchange email will not operate without Active Directory, and the customer's MRP software leveraged SQL Server, which needs Windows AD for access to the data.

Within two days, Progent was able to recover Active Directory services to its pre-virus state. Progent then charged ahead with setup and storage recovery of essential servers. All Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST files (Outlook Off-Line Folder Files) on various workstations to recover mail data. A recent offline backup of the client's accounting systems made it possible to recover these vital services back servicing users. Although significant work still had to be done to recover completely from the Ryuk attack, critical services were restored quickly:


"For the most part, the manufacturing operation never missed a beat and we produced all customer shipments."

Throughout the next month important milestones in the restoration project were made in tight collaboration between Progent consultants and the client:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Server exceeding 4 million historical messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the desktop computers were functioning as before the incident.

"Much of what was accomplished that first week is mostly a blur for me, but my management will not forget the commitment each of your team put in to give us our business back. I've been working with Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable business-ending disaster was evaded through the efforts of dedicated professionals, a wide array of IT skills, and close collaboration. Although upon completion of forensics the ransomware attack detailed here should have been identified and prevented with advanced security technology and ISO/IEC 27001 best practices, user training, and well thought out security procedures for backup and applying software patches, the reality is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get some sleep after we made it through the first week. All of you did an amazing job, and if anyone is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Austin a variety of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of crypto-ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily escape legacy signature-matching AV tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth security for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering via cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate action. Progent can also assist your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup processes and allow non-disruptive backup and rapid recovery of vital files, apps, images, and VMs. ProSight DPS helps you recover from data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user error, ill-intentioned employees, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to deliver web-based management and world-class protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to external threats and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of inspection for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to map, monitor, reconfigure and debug their connectivity hardware such as routers, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are kept current, copies and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, finding appliances that need important software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your network operating at peak levels by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent consultant so any potential issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data related to your IT infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away looking for critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning technology to guard endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely get by traditional signature-matching AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to manage the complete malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Call Desk managed services permit your IT team to offload Help Desk services to Progent or split responsibilities for Help Desk services seamlessly between your internal network support staff and Progent's nationwide pool of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless extension of your core IT support team. User interaction with the Help Desk, provision of support, issue escalation, trouble ticket creation and tracking, performance measurement, and management of the service database are cohesive regardless of whether incidents are taken care of by your core support organization, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT network. Besides maximizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using 2FA, when you log into a secured online account and give your password you are asked to verify your identity via a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be utilized for this added form of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may register multiple verification devices. For details about Duo identity authentication services, see Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time and in-depth management reporting tools designed to integrate with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Austin Crypto Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.