Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an extinction-level danger for businesses of all sizes vulnerable to an attack. Different versions of ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for many years and continue to inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as frequent as yet unnamed viruses, not only encrypt online information but also infect all configured system protection. Files replicated to the cloud can also be corrupted. In a poorly designed system, it can render automated recovery hopeless and effectively sets the network back to square one.

Recovering programs and information after a crypto-ransomware outage becomes a race against the clock as the targeted business struggles to stop the spread and cleanup the crypto-ransomware and to restore business-critical activity. Because crypto-ransomware requires time to replicate, penetrations are often sprung during weekends and nights, when penetrations may take longer to notice. This multiplies the difficulty of quickly marshalling and organizing a knowledgeable response team.

Progent has a variety of support services for securing organizations from ransomware events. Among these are user training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence technology from SentinelOne to discover and disable zero-day threats automatically. Progent also provides the assistance of experienced crypto-ransomware recovery professionals with the talent and commitment to restore a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Following a crypto-ransomware attack, paying the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the codes to unencrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the critical components of your IT environment. Absent the availability of complete system backups, this requires a broad complement of skills, top notch team management, and the ability to work continuously until the recovery project is finished.

For twenty years, Progent has provided professional Information Technology services for businesses in Durham and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience provides Progent the ability to rapidly identify critical systems and consolidate the remaining pieces of your network system after a ransomware event and configure them into an operational network.

Progent's ransomware team uses powerful project management applications to orchestrate the complex restoration process. Progent knows the urgency of acting swiftly and together with a client's management and Information Technology team members to prioritize tasks and to put key applications back on line as fast as humanly possible.

Case Study: A Successful Ransomware Virus Response
A client escalated to Progent after their organization was taken over by the Ryuk ransomware virus. Ryuk is thought to have been created by Northern Korean state hackers, possibly adopting approaches exposed from America's National Security Agency. Ryuk seeks specific companies with little room for disruption and is one of the most lucrative iterations of ransomware. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk event had disabled all company operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200K) and hoping for the best, but in the end made the decision to use Progent.


"I cannot tell you enough about the help Progent provided us throughout the most critical time of (our) businesses survival. We may have had to pay the Hackers if it wasn't for the confidence the Progent group afforded us. The fact that you could get our e-mail and essential applications back into operation quicker than a week was something I thought impossible. Each expert I talked with or messaged at Progent was totally committed on getting us restored and was working all day and night on our behalf."

Progent worked hand in hand the customer to quickly determine and assign priority to the most important applications that had to be addressed to make it possible to resume business functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent adhered to Anti-virus event mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the steps of recovering Windows Active Directory, the core of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not work without AD, and the customer's financials and MRP applications leveraged SQL Server, which depends on Windows AD for security authorization to the databases.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery on mission critical applications. All Microsoft Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate local OST files (Microsoft Outlook Off-Line Data Files) on team PCs to recover mail information. A recent off-line backup of the businesses manufacturing systems made it possible to restore these vital programs back on-line. Although a large amount of work needed to be completed to recover totally from the Ryuk virus, the most important systems were restored rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer deliverables."

Over the following month critical milestones in the recovery process were accomplished through close collaboration between Progent engineers and the client:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Exchange Server with over four million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully operational.
  • A new Palo Alto 850 firewall was set up.
  • Nearly all of the desktop computers were back into operation.

"A lot of what was accomplished those first few days is nearly entirely a blur for me, but my team will not forget the urgency each and every one of your team accomplished to help get our company back. I have been working with Progent for the past ten years, possibly more, and every time Progent has come through and delivered. This situation was a testament to your capabilities."

Conclusion
A potential business-ending disaster was averted by top-tier professionals, a wide array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration described here would have been identified and stopped with modern cyber security technology and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thank you for making it so I could get rested after we made it through the initial push. Everyone did an impressive effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Durham a variety of online monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services utilize next-generation AI technology to detect new strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to address the entire malware attack progression including protection, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge tools packaged within a single agent managed from a unified console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and track your backup operations and enable transparent backup and fast recovery of important files/folders, apps, images, plus virtual machines. ProSight DPS lets you recover from data loss caused by equipment failures, natural disasters, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security vendors to deliver centralized management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of threats from making it to your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, monitor, optimize and troubleshoot their networking appliances like routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are kept current, captures and displays the configuration of almost all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating devices that need important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management personnel and your Progent consultant so that all potential problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be ported easily to a different hosting solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior machine learning technology to guard endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a single platform to manage the entire malware attack lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Desk services enable your IT team to outsource Support Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house support group and Progent's extensive roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a transparent extension of your corporate IT support staff. User interaction with the Service Desk, delivery of technical assistance, issue escalation, ticket creation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether issues are taken care of by your in-house IT support group, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and affordable solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. In addition to optimizing the protection and functionality of your computer network, Progent's patch management services allow your IT staff to focus on more strategic projects and tasks that deliver maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports single-tap identity confirmation with iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a secured application and enter your password you are asked to confirm your identity via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be used as this added form of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register several verification devices. For details about ProSight Duo identity authentication services, go to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time and in-depth reporting plug-ins created to work with the top ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Durham CryptoLocker Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.