Crypto-Ransomware : Your Feared Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that poses an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Different versions of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. More recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as additional as yet unnamed viruses, not only encrypt on-line data but also infect most accessible system protection. Files replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed system, it can render any restore operations useless and effectively sets the network back to square one.

Getting back online services and data after a ransomware intrusion becomes a race against the clock as the targeted business tries its best to contain and remove the crypto-ransomware and to restore business-critical activity. Because crypto-ransomware requires time to move laterally, penetrations are often launched on weekends, when attacks in many cases take longer to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.

Progent offers an assortment of support services for securing organizations from ransomware events. Among these are team training to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with artificial intelligence technology from SentinelOne to detect and extinguish zero-day cyber threats quickly. Progent in addition can provide the services of seasoned ransomware recovery engineers with the track record and perseverance to reconstruct a breached network as quickly as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the codes to decipher all your information. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the key components of your Information Technology environment. Absent access to essential information backups, this requires a wide range of skill sets, professional team management, and the ability to work non-stop until the recovery project is completed.

For twenty years, Progent has made available certified expert IT services for companies in Dayton and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in accounting and ERP application software. This breadth of experience affords Progent the capability to rapidly determine critical systems and integrate the surviving pieces of your IT system following a crypto-ransomware attack and assemble them into an operational system.

Progent's recovery team uses powerful project management applications to orchestrate the complex restoration process. Progent understands the urgency of working quickly and in unison with a customer's management and IT team members to assign priority to tasks and to get essential services back on line as fast as possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Recovery
A business hired Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state hackers, possibly adopting strategies exposed from the United States National Security Agency. Ryuk attacks specific companies with little or no ability to sustain operational disruption and is one of the most lucrative instances of crypto-ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area with about 500 workers. The Ryuk penetration had brought down all essential operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end called Progent.


"I cannot speak enough in regards to the help Progent provided us during the most stressful period of (our) company's existence. We most likely would have paid the hackers behind this attack if not for the confidence the Progent team provided us. That you were able to get our e-mail system and critical applications back sooner than 1 week was amazing. Each consultant I interacted with or texted at Progent was totally committed on getting our company operational and was working breakneck pace to bail us out."

Progent worked with the customer to quickly determine and assign priority to the key systems that needed to be recovered to make it possible to restart departmental functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent followed AV/Malware Processes incident response industry best practices by isolating and removing active viruses. Progent then initiated the task of recovering Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not function without Windows AD, and the client's accounting and MRP system leveraged Microsoft SQL, which depends on Windows AD for security authorization to the data.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-virus state. Progent then helped perform rebuilding and storage recovery of critical applications. All Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Off-Line Data Files) on user workstations and laptops in order to recover mail data. A not too old offline backup of the businesses accounting/ERP systems made it possible to recover these vital programs back online. Although significant work was left to recover completely from the Ryuk damage, core systems were returned to operations rapidly:


"For the most part, the production operation did not miss a beat and we did not miss any customer sales."

Throughout the next few weeks critical milestones in the restoration project were accomplished in tight cooperation between Progent team members and the customer:

  • In-house web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory capabilities were fully restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"A lot of what transpired those first few days is mostly a fog for me, but we will not forget the dedication all of you accomplished to help get our business back. I've been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A likely business-killing disaster was averted with top-tier professionals, a wide range of knowledge, and close collaboration. Although in retrospect the ransomware penetration described here should have been disabled with advanced cyber security systems and best practices, user training, and appropriate security procedures for data backup and applying software patches, the fact remains that state-sponsored cybercriminals from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has substantial experience in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we made it over the initial push. Everyone did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Dayton a variety of online monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services include modern machine learning technology to uncover zero-day variants of crypto-ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to address the complete threat progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge technologies incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent can also assist your company to set up and test a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup software providers to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup processes and allow transparent backup and rapid recovery of vital files/folders, apps, system images, and VMs. ProSight DPS helps your business avoid data loss caused by hardware failures, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to deliver centralized management and comprehensive protection for your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of analysis for incoming email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, reconfigure and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are always current, captures and displays the configuration of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that require important updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system running at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent consultant so that any potential problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to guard endpoints as well as physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to automate the complete threat progression including protection, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Help Center managed services enable your information technology group to outsource Call Center services to Progent or split activity for Service Desk support seamlessly between your in-house network support staff and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a transparent supplement to your in-house IT support team. Client interaction with the Help Desk, delivery of technical assistance, issue escalation, trouble ticket creation and updates, efficiency measurement, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your core support staff, by Progent, or both. Learn more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the protection and functionality of your computer environment, Progent's patch management services free up time for your IT team to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against password theft by using two-factor authentication (2FA). Duo supports single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With 2FA, when you sign into a secured online account and enter your password you are asked to verify who you are via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second means of authentication including a smartphone or watch, a hardware token, a landline phone, etc. You can register several validation devices. For more information about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time and in-depth reporting tools designed to integrate with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Dayton 24x7x365 Crypto-Ransomware Remediation Help, call Progent at 800-462-8800 or go to Contact Progent.