Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that presents an extinction-level danger for businesses vulnerable to an attack. Multiple generations of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as daily unnamed malware, not only encrypt online data but also infiltrate any available system backups. Files synched to cloud environments can also be ransomed. In a vulnerable environment, this can make automatic restore operations impossible and effectively sets the entire system back to zero.

Recovering applications and information following a ransomware intrusion becomes a sprint against time as the targeted business tries its best to stop lateral movement and remove the ransomware and to resume enterprise-critical operations. Since ransomware takes time to replicate, penetrations are frequently launched on weekends, when successful attacks in many cases take more time to uncover. This multiplies the difficulty of quickly assembling and orchestrating a qualified response team.

Progent offers a range of support services for securing businesses from crypto-ransomware events. These include team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with machine learning capabilities from SentinelOne to discover and quarantine day-zero cyber attacks automatically. Progent in addition provides the assistance of experienced ransomware recovery consultants with the talent and commitment to re-deploy a breached system as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that merciless criminals will respond with the keys to unencrypt all your files. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to re-install the essential components of your Information Technology environment. Without the availability of full information backups, this calls for a wide range of skill sets, well-coordinated project management, and the ability to work continuously until the job is finished.

For decades, Progent has offered certified expert Information Technology services for businesses in Detroit and across the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the ability to rapidly ascertain critical systems and organize the remaining components of your Information Technology system following a crypto-ransomware penetration and rebuild them into a functioning network.

Progent's recovery team of experts utilizes powerful project management systems to coordinate the complicated restoration process. Progent understands the importance of acting quickly and together with a customer�s management and Information Technology staff to prioritize tasks and to get essential services back online as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Intrusion Response
A small business contacted Progent after their network system was penetrated by Ryuk ransomware. Ryuk is thought to have been created by Northern Korean government sponsored cybercriminals, suspected of using strategies exposed from the United States National Security Agency. Ryuk goes after specific companies with little or no tolerance for operational disruption and is one of the most profitable incarnations of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago with about 500 employees. The Ryuk event had brought down all company operations and manufacturing processes. The majority of the client's system backups had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.


"I can�t speak enough about the expertise Progent gave us during the most fearful time of (our) company�s life. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent team provided us. The fact that you were able to get our messaging and important servers back on-line faster than five days was earth shattering. Each consultant I talked with or communicated with at Progent was totally committed on getting us working again and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the essential elements that needed to be restored in order to resume business operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting/MRP
To start, Progent followed AV/Malware Processes incident mitigation best practices by halting the spread and removing active viruses. Progent then started the steps of bringing back online Windows Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not function without AD, and the businesses� MRP software utilized Microsoft SQL Server, which needs Active Directory services for authentication to the database.

Within two days, Progent was able to restore Active Directory services to its pre-attack state. Progent then helped perform setup and storage recovery on the most important applications. All Exchange Server data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Offline Data Files) on staff desktop computers and laptops in order to recover email messages. A recent offline backup of the customer�s manufacturing software made them able to return these essential programs back available to users. Although major work was left to recover totally from the Ryuk attack, critical systems were restored quickly:


"For the most part, the production line operation never missed a beat and we delivered all customer orders."

Throughout the following couple of weeks key milestones in the recovery project were achieved through tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Server exceeding 4 million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory functions were 100% recovered.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the desktop computers were operational.

"Much of what was accomplished in the early hours is nearly entirely a fog for me, but we will not forget the dedication each and every one of your team accomplished to help get our business back. I�ve been working together with Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This event was the most impressive ever."

Conclusion
A potential enterprise-killing disaster was evaded by top-tier professionals, a wide spectrum of knowledge, and close teamwork. Although upon completion of forensics the ransomware virus attack detailed here would have been identified and stopped with current cyber security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator training, and properly executed security procedures for data protection and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for allowing me to get rested after we got past the initial fire. Everyone did an amazing job, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Detroit a variety of remote monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence technology to detect new variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to manage the entire malware attack lifecycle including blocking, identification, mitigation, remediation, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified console. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent attention. Progent can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup processes and allow transparent backup and fast restoration of vital files/folders, applications, images, and VMs. ProSight DPS helps your business recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, user mistakes, ill-intentioned insiders, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to provide web-based management and comprehensive protection for your inbound and outbound email. The hybrid structure of Email Guard combines a Cloud Protection Layer with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and keeps most threats from making it to your network firewall. This decreases your exposure to inbound attacks and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of inspection for inbound email. For outgoing email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity appliances such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, locating devices that require important software patches, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT personnel and your Progent consultant so that any potential problems can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard information about your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether youre making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based analysis tools to defend endpoints and physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to manage the complete threat lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Help Center services permit your IT staff to outsource Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless extension of your internal support staff. End user interaction with the Service Desk, provision of technical assistance, escalation, trouble ticket generation and updates, efficiency metrics, and management of the support database are cohesive whether issues are taken care of by your in-house support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a versatile and cost-effective solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services permit your in-house IT staff to concentrate on more strategic projects and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo enables one-tap identity verification on iOS, Google Android, and other personal devices. With 2FA, whenever you sign into a protected online account and give your password you are requested to confirm your identity via a unit that only you possess and that uses a different network channel. A broad range of out-of-band devices can be utilized as this second form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may designate multiple verification devices. To find out more about ProSight Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
For 24/7/365 Detroit Ransomware Remediation Services, contact Progent at 800-462-8800 or go to Contact Progent.