Crypto-Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for businesses of all sizes vulnerable to an assault. Versions of ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still cause havoc. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent unnamed malware, not only do encryption of on-line files but also infiltrate most accessible system backups. Data replicated to cloud environments can also be ransomed. In a poorly architected data protection solution, it can render any restoration useless and basically sets the network back to square one.

Recovering programs and data after a ransomware intrusion becomes a race against time as the targeted organization struggles to stop lateral movement and remove the ransomware and to resume mission-critical operations. Because ransomware needs time to replicate, penetrations are usually sprung at night, when attacks may take more time to recognize. This compounds the difficulty of quickly mobilizing and organizing a capable response team.

Progent provides an assortment of services for securing organizations from ransomware attacks. These include user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of modern security gateways with machine learning technology from SentinelOne to detect and extinguish new cyber threats quickly. Progent also can provide the services of veteran ransomware recovery consultants with the track record and perseverance to rebuild a compromised network as soon as possible.

Progent's Ransomware Recovery Help
Following a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that distant criminals will provide the needed codes to unencrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the essential components of your IT environment. Absent the availability of full data backups, this requires a broad complement of IT skills, professional team management, and the ability to work 24x7 until the recovery project is done.

For twenty years, Progent has offered professional IT services for businesses in Vitória and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience provides Progent the skills to knowledgably determine necessary systems and re-organize the surviving components of your network system following a crypto-ransomware attack and rebuild them into an operational system.

Progent's ransomware group has state-of-the-art project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and Information Technology resources to prioritize tasks and to get essential systems back online as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A client hired Progent after their network was attacked by Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean government sponsored cybercriminals, possibly using strategies exposed from the U.S. NSA organization. Ryuk attacks specific organizations with little or no ability to sustain operational disruption and is among the most profitable iterations of crypto-ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in Chicago with around 500 employees. The Ryuk penetration had paralyzed all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (exceeding $200K) and hoping for the best, but in the end reached out to Progent.


"I can�t speak enough about the help Progent provided us throughout the most critical period of (our) company�s life. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent team afforded us. The fact that you were able to get our messaging and essential applications back into operation in less than five days was beyond my wildest dreams. Each person I talked with or messaged at Progent was hell bent on getting our company operational and was working breakneck pace to bail us out."

Progent worked hand in hand the client to rapidly understand and assign priority to the mission critical elements that had to be recovered in order to resume departmental functions:

  • Active Directory
  • Microsoft Exchange
  • MRP System
To begin, Progent adhered to ransomware incident mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then began the process of bringing back online Microsoft AD, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not function without Active Directory, and the client's financials and MRP software utilized SQL Server, which depends on Active Directory for access to the databases.

Within two days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed reinstallations and storage recovery on the most important applications. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to locate local OST files (Microsoft Outlook Offline Folder Files) on various desktop computers and laptops to recover email information. A not too old offline backup of the customer�s accounting/MRP systems made it possible to return these essential applications back servicing users. Although a lot of work still had to be done to recover totally from the Ryuk virus, essential services were restored rapidly:


"For the most part, the production operation never missed a beat and we produced all customer orders."

Throughout the next month important milestones in the restoration project were completed through close cooperation between Progent engineers and the customer:

  • In-house web applications were restored with no loss of data.
  • The MailStore Exchange Server exceeding 4 million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • 90% of the desktops and laptops were being used by staff.

"A lot of what went on that first week is nearly entirely a haze for me, but I will not soon forget the urgency all of you accomplished to give us our company back. I have entrusted Progent for at least 10 years, possibly more, and every time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A probable enterprise-killing disaster was avoided due to results-oriented experts, a broad range of IT skills, and tight teamwork. Although in post mortem the ransomware virus incident detailed here could have been identified and stopped with advanced security technology and recognized best practices, team training, and well thought out incident response procedures for information backup and proper patching controls, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for letting me get rested after we made it over the initial push. All of you did an amazing job, and if any of your team is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Vitória a variety of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern AI capability to detect zero-day variants of ransomware that can escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to manage the complete malware attack progression including blocking, identification, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device control, and web filtering through leading-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry information security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate action. Progent can also assist your company to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup software companies to produce ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup processes and allow non-disruptive backup and fast restoration of important files, applications, images, plus VMs. ProSight DPS lets you protect against data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or software glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security companies to provide centralized control and world-class security for your email traffic. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks most threats from making it to your network firewall. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of inspection for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent’s ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, track, optimize and debug their connectivity hardware like switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when problems are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, expanding your network, finding appliances that require important software patches, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent’s server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT management personnel and your Progent consultant so all potential issues can be resolved before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can eliminate as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you’re making enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior machine learning tools to defend endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including filtering, detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Help Desk managed services enable your information technology staff to outsource Help Desk services to Progent or split responsibilities for support services seamlessly between your in-house network support team and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless extension of your corporate IT support organization. End user interaction with the Help Desk, delivery of support, issue escalation, trouble ticket creation and updates, performance measurement, and management of the service database are cohesive regardless of whether incidents are taken care of by your core IT support resources, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting updates to your dynamic IT system. Besides maximizing the protection and functionality of your computer network, Progent's patch management services free up time for your in-house IT staff to concentrate on more strategic projects and tasks that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected application and give your password you are requested to verify your identity on a unit that only you have and that is accessed using a separate network channel. A wide range of devices can be utilized for this added means of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To find out more about Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.
For 24x7x365 Vitória Crypto Cleanup Consulting, call Progent at 800-462-8800 or go to Contact Progent.