Crypto-Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to inflict havoc. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with daily unnamed viruses, not only encrypt on-line data but also infiltrate many configured system backup. Data synched to the cloud can also be corrupted. In a poorly architected data protection solution, it can make automated restoration useless and effectively sets the datacenter back to square one.

Recovering programs and data following a crypto-ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and eradicate the virus and to restore business-critical operations. Because ransomware takes time to move laterally, assaults are frequently launched during nights and weekends, when penetrations may take more time to discover. This multiplies the difficulty of promptly assembling and orchestrating a capable response team.

Progent has a variety of services for protecting organizations from ransomware penetrations. These include team training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security appliances with AI technology to quickly identify and disable zero-day cyber threats. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the skills and perseverance to rebuild a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Subsequent to a crypto-ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the keys to decrypt all your information. Kaspersky estimated that 17% of ransomware victims never restored their data after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the mission-critical components of your Information Technology environment. Absent the availability of full data backups, this requires a broad range of IT skills, top notch project management, and the ability to work non-stop until the job is completed.

For twenty years, Progent has provided expert Information Technology services for companies in Brasília and throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of experience gives Progent the ability to knowledgably understand necessary systems and consolidate the surviving pieces of your IT environment following a crypto-ransomware event and rebuild them into a functioning network.

Progent's ransomware group utilizes state-of-the-art project management tools to coordinate the complicated recovery process. Progent appreciates the importance of acting rapidly and together with a customer’s management and Information Technology staff to assign priority to tasks and to get key applications back on-line as fast as possible.

Client Case Study: A Successful Ransomware Intrusion Response
A small business sought out Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, suspected of using strategies leaked from America’s National Security Agency. Ryuk goes after specific businesses with little room for operational disruption and is one of the most lucrative iterations of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business based in the Chicago metro area with around 500 employees. The Ryuk penetration had brought down all company operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than $200,000) and wishfully thinking for the best, but in the end engaged Progent.


"I can’t say enough about the expertise Progent gave us during the most fearful period of (our) company’s life. We would have paid the Hackers if not for the confidence the Progent team afforded us. The fact that you could get our e-mail and essential servers back into operation faster than 1 week was incredible. Every single person I got help from or messaged at Progent was absolutely committed on getting us back on-line and was working all day and night to bail us out."

Progent worked together with the customer to quickly identify and assign priority to the most important systems that had to be restored in order to restart business functions:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to ransomware incident mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then started the process of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server email will not function without AD, and the customer’s accounting and MRP system leveraged Microsoft SQL Server, which needs Active Directory for authentication to the databases.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of essential applications. All Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Folder Files) on team workstations to recover email data. A recent off-line backup of the businesses financials/MRP systems made it possible to recover these required programs back on-line. Although significant work remained to recover completely from the Ryuk event, the most important services were returned to operations rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer sales."

Over the next month important milestones in the restoration project were achieved through tight collaboration between Progent team members and the customer:

  • In-house web applications were restored with no loss of data.
  • The MailStore Server with over 4 million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was installed.
  • 90% of the desktops and laptops were being used by staff.

"So much of what occurred in the initial days is mostly a fog for me, but my management will not soon forget the countless hours each of you put in to give us our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This event was a Herculean accomplishment."

Conclusion
A possible business catastrophe was avoided due to top-tier professionals, a broad array of subject matter expertise, and close teamwork. Although in post mortem the crypto-ransomware attack described here would have been identified and blocked with advanced security solutions and ISO/IEC 27001 best practices, user and IT administrator training, and well designed incident response procedures for information backup and proper patching controls, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get some sleep after we got through the most critical parts. All of you did an amazing effort, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Brasília a variety of online monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services include next-generation machine learning technology to detect new variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and provides a single platform to address the entire threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools packaged within a single agent managed from a single console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP deployment that addresses your company's specific requirements and that allows you demonstrate compliance with government and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services automate and track your data backup processes and enable non-disruptive backup and fast recovery of critical files, apps, images, plus VMs. ProSight DPS helps your business recover from data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, user error, ill-intentioned employees, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security companies to deliver web-based control and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a preliminary barricade and keeps most threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and access points plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always updated, captures and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating time-consuming management activities, ProSight WAN Watch can knock hours off ordinary chores such as making network diagrams, reconfiguring your network, locating devices that need critical software patches, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent’s server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the state of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management personnel and your Progent consultant so that all potential problems can be addressed before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, find and protect information related to your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned about impending expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you’re making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based machine learning technology to guard endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-based AV tools. Progent Active Security Monitoring services protect local and cloud resources and offers a unified platform to automate the complete threat progression including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Call Center services permit your information technology team to offload Help Desk services to Progent or split activity for Service Desk support seamlessly between your in-house support team and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent extension of your core IT support team. User interaction with the Help Desk, delivery of support, issue escalation, trouble ticket generation and tracking, performance measurement, and management of the support database are consistent regardless of whether incidents are resolved by your internal support resources, by Progent's team, or both. Learn more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a flexible and affordable alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information system. In addition to optimizing the security and functionality of your computer network, Progent's software/firmware update management services permit your in-house IT staff to focus on more strategic initiatives and activities that derive the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Android, and other personal devices. Using 2FA, when you sign into a protected online account and give your password you are requested to verify your identity via a device that only you possess and that uses a separate network channel. A wide range of out-of-band devices can be utilized as this second form of authentication including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate several verification devices. For more information about Duo identity authentication services, refer to Duo MFA two-factor authentication services for access security.
For Brasília 24x7 Ransomware Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.