Crypto-Ransomware : Your Worst Information Technology Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyberplague that poses an extinction-level danger for businesses vulnerable to an attack. Different iterations of crypto-ransomware such as CrySIS, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with more unnamed malware, not only do encryption of on-line data files but also infiltrate many available system backups. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly designed environment, this can make automatic restore operations impossible and basically sets the network back to square one.

Recovering services and information after a ransomware attack becomes a sprint against time as the targeted organization fights to contain the damage and clear the ransomware and to restore enterprise-critical operations. Since ransomware needs time to move laterally, penetrations are frequently sprung on weekends and holidays, when successful penetrations typically take longer to notice. This compounds the difficulty of quickly assembling and orchestrating an experienced response team.

Progent makes available an assortment of help services for securing enterprises from ransomware events. Among these are team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with machine learning technology from SentinelOne to detect and extinguish zero-day cyber threats automatically. Progent in addition offers the services of experienced crypto-ransomware recovery professionals with the track record and perseverance to reconstruct a compromised network as soon as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that distant criminals will provide the keys to decrypt any or all of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to setup from scratch the mission-critical parts of your Information Technology environment. Without the availability of complete information backups, this requires a broad complement of skill sets, professional project management, and the willingness to work 24x7 until the task is done.

For twenty years, Progent has provided expert IT services for businesses in Vitória and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security experts have garnered internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the ability to quickly ascertain important systems and organize the surviving parts of your IT system following a ransomware penetration and rebuild them into an operational system.

Progent's security group deploys best of breed project management applications to orchestrate the complex restoration process. Progent knows the importance of acting rapidly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to put key applications back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Attack Response
A client contacted Progent after their organization was penetrated by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean state sponsored criminal gangs, suspected of adopting technology leaked from America's National Security Agency. Ryuk targets specific organizations with limited room for operational disruption and is among the most profitable incarnations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has around 500 workers. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but in the end engaged Progent.


"I cannot thank you enough in regards to the support Progent gave us throughout the most fearful period of (our) company's survival. We may have had to pay the cyber criminals if not for the confidence the Progent group gave us. The fact that you were able to get our e-mail and production servers back on-line faster than five days was beyond my wildest dreams. Every single consultant I interacted with or e-mailed at Progent was amazingly focused on getting us working again and was working 24 by 7 on our behalf."

Progent worked together with the customer to quickly determine and prioritize the most important elements that needed to be addressed in order to continue departmental functions:

  • Windows Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To start, Progent followed ransomware penetration mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the work of restoring Microsoft AD, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the client's financials and MRP applications used SQL Server, which requires Active Directory for security authorization to the information.

Within two days, Progent was able to restore Active Directory to its pre-penetration state. Progent then helped perform rebuilding and hard drive recovery of key systems. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations to recover mail data. A recent offline backup of the client's accounting/ERP systems made them able to return these essential applications back online. Although a lot of work remained to recover totally from the Ryuk damage, essential systems were returned to operations rapidly:


"For the most part, the assembly line operation survived unscathed and we did not miss any customer sales."

During the next couple of weeks critical milestones in the recovery process were accomplished in tight cooperation between Progent consultants and the client:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were completely restored.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the desktops and laptops were back into operation.

"So much of what transpired those first few days is mostly a fog for me, but I will not forget the countless hours each and every one of you accomplished to help get our business back. I've entrusted Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered. This situation was a stunning achievement."

Conclusion
A possible business-ending catastrophe was avoided with results-oriented experts, a broad spectrum of subject matter expertise, and close collaboration. Although in retrospect the crypto-ransomware incident described here could have been stopped with current security technology solutions and ISO/IEC 27001 best practices, user training, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for letting me get some sleep after we got over the initial fire. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Vitória a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation machine learning capability to uncover new variants of ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus products. ProSight ASM protects local and cloud-based resources and provides a single platform to manage the complete malware attack progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent can also help you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology providers to create ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable transparent backup and fast recovery of critical files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or application glitches. Managed backup services in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security vendors to deliver web-based control and comprehensive protection for your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The local gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller businesses to diagram, monitor, enhance and debug their networking hardware like switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating complex network management processes, WAN Watch can knock hours off common tasks like network mapping, expanding your network, finding devices that need critical software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system operating at peak levels by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management staff and your Progent consultant so all potential issues can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be alerted automatically about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can save as much as 50% of time spent searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior analysis tools to defend endpoint devices and physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to manage the complete threat lifecycle including protection, identification, containment, remediation, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Support Desk services enable your IT group to outsource Help Desk services to Progent or divide activity for support services seamlessly between your internal network support resources and Progent's extensive roster of IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth supplement to your core IT support organization. User access to the Service Desk, delivery of support, issue escalation, trouble ticket generation and tracking, efficiency metrics, and maintenance of the service database are consistent whether issues are taken care of by your core support resources, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. In addition to optimizing the protection and functionality of your IT environment, Progent's patch management services free up time for your IT team to focus on line-of-business initiatives and activities that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and give your password you are requested to verify who you are on a device that only you have and that uses a separate network channel. A broad selection of out-of-band devices can be used for this added means of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. To learn more about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of in-depth management reporting plug-ins created to integrate with the industry's top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Vitória 24-Hour Crypto Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.