Crypto-Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that poses an existential threat for organizations poorly prepared for an assault. Multiple generations of crypto-ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict damage. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with frequent unnamed viruses, not only do encryption of on-line data files but also infiltrate all configured system protection mechanisms. Data synchronized to cloud environments can also be corrupted. In a poorly architected data protection solution, it can make automated recovery impossible and effectively knocks the entire system back to zero.

Getting back on-line programs and information after a ransomware attack becomes a race against time as the targeted organization struggles to contain the damage and remove the ransomware and to restore business-critical operations. Since crypto-ransomware requires time to replicate, assaults are usually sprung during nights and weekends, when penetrations may take more time to discover. This compounds the difficulty of promptly marshalling and organizing an experienced response team.

Progent makes available a variety of help services for protecting enterprises from ransomware events. These include staff education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security solutions with AI technology from SentinelOne to detect and quarantine zero-day cyber attacks quickly. Progent in addition offers the services of seasoned ransomware recovery consultants with the talent and commitment to re-deploy a compromised network as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the keys to unencrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the critical parts of your Information Technology environment. Without the availability of complete data backups, this calls for a wide range of skills, top notch team management, and the willingness to work non-stop until the recovery project is complete.

For two decades, Progent has made available professional IT services for companies in Dallas and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security experts have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise provides Progent the ability to rapidly ascertain important systems and consolidate the remaining pieces of your Information Technology system following a ransomware penetration and assemble them into a functioning system.

Progent's recovery group utilizes best of breed project management tools to orchestrate the complex recovery process. Progent understands the urgency of working rapidly and together with a client's management and IT resources to prioritize tasks and to get key applications back on line as fast as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their organization was brought down by the Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean government sponsored cybercriminals, suspected of using strategies leaked from the United States NSA organization. Ryuk targets specific businesses with limited ability to sustain disruption and is among the most profitable instances of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago and has about 500 employees. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the intrusion and were encrypted. The client considered paying the ransom (exceeding $200K) and hoping for good luck, but ultimately made the decision to use Progent.


"I can't thank you enough in regards to the care Progent gave us throughout the most stressful time of (our) businesses existence. We most likely would have paid the criminal gangs if not for the confidence the Progent group afforded us. That you could get our e-mail and critical servers back faster than five days was incredible. Each staff member I worked with or messaged at Progent was hell bent on getting us back on-line and was working 24 by 7 on our behalf."

Progent worked with the client to quickly identify and prioritize the most important services that had to be restored to make it possible to continue company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes event mitigation industry best practices by stopping the spread and cleaning systems of viruses. Progent then started the process of bringing back online Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Exchange email will not function without Active Directory, and the businesses' MRP software leveraged Microsoft SQL Server, which needs Active Directory for authentication to the database.

Within two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then helped perform reinstallations and hard drive recovery of needed applications. All Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Offline Data Files) on team PCs and laptops to recover email data. A recent offline backup of the client's financials/ERP software made them able to recover these vital programs back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk damage, the most important services were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer orders."

During the following few weeks important milestones in the restoration process were achieved in tight cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Exchange Server exceeding 4 million historical emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were fully recovered.
  • A new Palo Alto 850 security appliance was deployed.
  • Nearly all of the user desktops and notebooks were being used by staff.

"A lot of what happened in the initial days is mostly a fog for me, but our team will not soon forget the care each of your team accomplished to give us our company back. I have been working with Progent for the past ten years, possibly more, and each time I needed help Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A potential business disaster was averted by hard-working professionals, a wide range of knowledge, and tight collaboration. Although in post mortem the ransomware virus penetration described here could have been stopped with up-to-date cyber security solutions and security best practices, user training, and well designed incident response procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware virus, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for making it so I could get rested after we got over the first week. Everyone did an amazing job, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Dallas a range of online monitoring and security assessment services designed to assist you to reduce the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to address the entire malware attack progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent's consultants can also assist you to set up and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and enable non-disruptive backup and rapid restoration of critical files, apps, images, and VMs. ProSight DPS helps your business recover from data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, human error, malicious insiders, or application bugs. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security companies to provide centralized management and world-class security for your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway device to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks most threats from making it to your security perimeter. This reduces your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the on-premises security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, enhance and debug their networking appliances like switches, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network maps are always current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, finding devices that need critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system operating efficiently by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT personnel and your assigned Progent consultant so all potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hardware environment without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time thrown away searching for critical information about your network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based machine learning technology to defend endpoints as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to automate the complete threat lifecycle including filtering, detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Call Desk services enable your IT group to outsource Call Center services to Progent or divide activity for Help Desk services transparently between your in-house support staff and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth supplement to your corporate network support staff. Client interaction with the Service Desk, delivery of support, issue escalation, ticket creation and updates, performance measurement, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your corporate IT support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a versatile and affordable alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. In addition to maximizing the protection and reliability of your computer network, Progent's patch management services allow your in-house IT staff to focus on more strategic projects and tasks that deliver maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity verification on iOS, Android, and other personal devices. With Duo 2FA, when you log into a protected application and give your password you are asked to verify your identity via a device that only you possess and that uses a different network channel. A wide selection of out-of-band devices can be utilized for this added means of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple verification devices. To learn more about ProSight Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time reporting tools created to integrate with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Dallas Crypto-Ransomware Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.