Crypto-Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that presents an extinction-level threat for businesses vulnerable to an attack. Different versions of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still inflict destruction. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus frequent as yet unnamed newcomers, not only encrypt online data files but also infiltrate many available system protection. Data synched to cloud environments can also be ransomed. In a poorly designed environment, this can make automatic restore operations useless and effectively sets the entire system back to zero.

Getting back on-line services and data after a ransomware outage becomes a sprint against time as the targeted business struggles to stop lateral movement and cleanup the ransomware and to restore mission-critical activity. Because ransomware needs time to replicate, attacks are frequently sprung at night, when attacks in many cases take more time to recognize. This multiplies the difficulty of quickly assembling and orchestrating a capable mitigation team.

Progent provides a variety of solutions for securing organizations from ransomware events. Among these are team education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with machine learning technology to automatically discover and quarantine zero-day threats. Progent also can provide the services of expert ransomware recovery engineers with the track record and perseverance to restore a compromised network as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
After a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed keys to decipher any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the essential parts of your Information Technology environment. Without the availability of complete system backups, this calls for a wide range of skill sets, professional team management, and the capability to work 24x7 until the task is complete.

For twenty years, Progent has offered certified expert IT services for businesses in Uniondale and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience gives Progent the capability to knowledgably identify critical systems and organize the surviving components of your IT environment following a crypto-ransomware penetration and assemble them into an operational network.

Progent's recovery group has best of breed project management applications to orchestrate the complex restoration process. Progent knows the importance of acting swiftly and together with a customerís management and IT staff to prioritize tasks and to put essential systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Incident Recovery
A client contacted Progent after their network system was attacked by the Ryuk crypto-ransomware. Ryuk is thought to have been created by North Korean government sponsored cybercriminals, suspected of using approaches leaked from Americaís National Security Agency. Ryuk targets specific organizations with little ability to sustain operational disruption and is one of the most profitable instances of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has about 500 staff members. The Ryuk event had disabled all business operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the start of the attack and were damaged. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.


"I canít tell you enough in regards to the support Progent gave us during the most stressful time of (our) companyís survival. We would have paid the Hackers if it wasnít for the confidence the Progent team gave us. That you could get our messaging and key applications back online in less than one week was incredible. Each staff member I got help from or communicated with at Progent was hell bent on getting us restored and was working non-stop on our behalf."

Progent worked together with the client to quickly identify and prioritize the critical areas that had to be restored to make it possible to resume departmental functions:

  • Active Directory
  • Exchange Server
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident mitigation best practices by stopping the spread and disinfecting systems. Progent then began the work of bringing back online Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customerís MRP system used Microsoft SQL Server, which requires Windows AD for access to the data.

Within two days, Progent was able to restore Windows Active Directory to its pre-attack state. Progent then charged ahead with rebuilding and hard drive recovery on the most important applications. All Exchange ties and attributes were intact, which facilitated the restore of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Data Files) on team PCs to recover mail information. A recent offline backup of the client's accounting/MRP software made it possible to restore these vital programs back on-line. Although significant work still had to be done to recover completely from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the production line operation never missed a beat and we did not miss any customer orders."

Throughout the following couple of weeks key milestones in the restoration process were achieved through tight cooperation between Progent team members and the customer:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were 100 percent operational.
  • A new Palo Alto 850 firewall was brought on-line.
  • Ninety percent of the desktops and laptops were fully operational.

"A huge amount of what occurred during the initial response is nearly entirely a fog for me, but our team will not soon forget the care all of your team accomplished to help get our business back. Iíve trusted Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business-killing catastrophe was averted through the efforts of dedicated experts, a wide spectrum of technical expertise, and tight collaboration. Although in hindsight the ransomware virus attack detailed here should have been identified and blocked with modern security technology and best practices, user and IT administrator training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), Iím grateful for letting me get some sleep after we made it past the initial fire. Everyone did an incredible job, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Uniondale a variety of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation AI technology to uncover zero-day strains of crypto-ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to automate the entire threat progression including protection, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP deployment that meets your organization's unique requirements and that allows you demonstrate compliance with legal and industry data protection standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your backup operations and allow non-disruptive backup and fast recovery of critical files, apps, images, plus virtual machines. ProSight DPS lets your business avoid data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to deliver centralized control and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper layer of inspection for inbound email. For outbound email, the onsite gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, reconfigure and troubleshoot their connectivity hardware like switches, firewalls, and access points as well as servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding devices that need important updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to help keep your network running efficiently by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management staff and your Progent engineering consultant so that any potential issues can be resolved before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By updating and managing your IT documentation, you can save up to half of time spent looking for critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youíre making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis tools to guard endpoints as well as physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus products. Progent ASM services safeguard local and cloud-based resources and provides a single platform to automate the entire malware attack lifecycle including blocking, detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Call Center Managed Services
    Progent's Support Desk managed services permit your IT staff to outsource Support Desk services to Progent or divide responsibilities for support services seamlessly between your internal support resources and Progent's nationwide pool of certified IT support engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your core network support resources. User interaction with the Help Desk, delivery of technical assistance, problem escalation, ticket creation and tracking, efficiency measurement, and maintenance of the support database are consistent whether issues are taken care of by your internal IT support staff, by Progent, or both. Find out more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking updates to your dynamic information network. Besides maximizing the security and functionality of your computer environment, Progent's software/firmware update management services allow your IT staff to concentrate on line-of-business projects and tasks that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Android, and other out-of-band devices. Using 2FA, when you log into a protected application and enter your password you are asked to verify who you are on a unit that only you have and that is accessed using a separate network channel. A broad range of out-of-band devices can be used for this second form of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may register multiple verification devices. To learn more about Duo identity validation services, go to Cisco Duo MFA two-factor authentication services.
For 24-7 Uniondale Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.