Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that represents an existential threat for organizations unprepared for an assault. Different versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and still cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus more unnamed viruses, not only do encryption of on-line data files but also infect all accessible system restores and backups. Files synched to the cloud can also be encrypted. In a poorly designed system, this can make automatic recovery useless and effectively sets the datacenter back to square one.

Recovering services and data after a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain the damage, remove the ransomware, and resume enterprise-critical operations. Due to the fact that ransomware takes time to spread, attacks are usually launched on weekends, when successful penetrations may take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating an experienced mitigation team.

Progent offers a variety of solutions for securing enterprises from crypto-ransomware events. These include team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security appliances with machine learning technology from SentinelOne to identify and disable new cyber threats intelligently. Progent in addition provides the services of experienced crypto-ransomware recovery consultants with the talent and commitment to restore a compromised system as soon as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware invasion, paying the ransom in cryptocurrency does not ensure that cyber criminals will respond with the codes to decipher any or all of your files. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can be in the millions. The alternative is to re-install the key parts of your Information Technology environment. Without the availability of essential information backups, this calls for a broad range of skills, professional team management, and the ability to work continuously until the task is over.

For decades, Progent has made available professional Information Technology services for companies across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of expertise provides Progent the ability to knowledgably understand important systems and organize the surviving parts of your IT environment after a ransomware event and configure them into an operational network.

Progent's recovery team of experts deploys best of breed project management applications to orchestrate the sophisticated recovery process. Progent appreciates the urgency of working quickly and in unison with a client's management and Information Technology resources to prioritize tasks and to put the most important applications back online as soon as humanly possible.

Customer Story: A Successful Crypto-Ransomware Incident Recovery
A business escalated to Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state sponsored hackers, possibly using technology exposed from America's National Security Agency. Ryuk seeks specific businesses with limited tolerance for disruption and is one of the most profitable incarnations of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has about 500 staff members. The Ryuk event had frozen all business operations and manufacturing capabilities. The majority of the client's data backups had been on-line at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot say enough about the expertise Progent provided us during the most stressful period of (our) company's life. We would have paid the cybercriminals if not for the confidence the Progent team afforded us. The fact that you could get our e-mail and key applications back into operation faster than one week was amazing. Each staff member I worked with or e-mailed at Progent was hell bent on getting us working again and was working 24 by 7 on our behalf."

Progent worked together with the client to quickly get our arms around and prioritize the critical elements that had to be recovered in order to resume business functions:

  • Microsoft Active Directory
  • Electronic Messaging
  • Financials/MRP
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by stopping the spread and cleaning systems of viruses. Progent then initiated the steps of restoring Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without Windows AD, and the businesses' MRP software used Microsoft SQL, which requires Windows AD for authentication to the data.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then helped perform reinstallations and storage recovery on essential applications. All Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was also able to collect intact OST data files (Microsoft Outlook Off-Line Data Files) on various desktop computers in order to recover mail messages. A recent offline backup of the businesses accounting/ERP systems made it possible to recover these essential applications back servicing users. Although significant work was left to recover fully from the Ryuk event, the most important systems were recovered quickly:


"For the most part, the production operation was never shut down and we delivered all customer orders."

During the next couple of weeks key milestones in the restoration process were made in close collaboration between Progent team members and the customer:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Exchange Server containing more than four million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory capabilities were 100 percent operational.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the user PCs were functioning as before the incident.

"A lot of what happened that first week is nearly entirely a haze for me, but I will not forget the dedication all of you put in to help get our business back. I've trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This time was the most impressive ever."

Conclusion
A possible business-ending disaster was avoided by hard-working experts, a broad spectrum of knowledge, and tight collaboration. Although in hindsight the ransomware virus penetration detailed here would have been disabled with up-to-date security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate security procedures for information backup and applying software patches, the fact remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of professionals has substantial experience in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thank you for letting me get some sleep after we got past the initial push. All of you did an incredible job, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Dallas a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to uncover new strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to manage the complete threat progression including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your organization's specific requirements and that allows you prove compliance with government and industry data protection standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a selection of offerings that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable transparent backup and rapid restoration of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security companies to provide web-based control and world-class security for all your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with a local security gateway device to provide complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to external threats and conserves system bandwidth and storage. Email Guard's onsite gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized organizations to diagram, monitor, enhance and debug their networking appliances such as routers and switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are detected. By automating tedious network management processes, WAN Watch can knock hours off common tasks like network mapping, expanding your network, finding devices that need important updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT management personnel and your Progent consultant so any looming issues can be addressed before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're making improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to defend endpoint devices and physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-matching AV products. Progent ASM services protect local and cloud resources and provides a single platform to address the complete threat progression including protection, detection, containment, remediation, and forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Help Center managed services enable your information technology group to outsource Call Center services to Progent or divide activity for support services seamlessly between your internal support team and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your core IT support organization. Client access to the Service Desk, delivery of support services, issue escalation, trouble ticket creation and tracking, efficiency measurement, and management of the service database are cohesive whether issues are resolved by your in-house network support organization, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving IT network. Besides optimizing the security and functionality of your computer network, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that derive the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured application and enter your password you are requested to confirm your identity on a unit that only you have and that is accessed using a separate network channel. A broad range of out-of-band devices can be used as this added form of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. For details about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of in-depth reporting tools designed to integrate with the leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Dallas Crypto-Ransomware Remediation Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.