Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still inflict havoc. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as more as yet unnamed viruses, not only encrypt online data but also infect all accessible system restores and backups. Data replicated to cloud environments can also be ransomed. In a poorly designed data protection solution, this can render any restore operations useless and basically knocks the network back to square one.

Getting back online programs and information following a crypto-ransomware intrusion becomes a race against the clock as the victim fights to stop the spread and eradicate the virus and to restore mission-critical activity. Since crypto-ransomware takes time to move laterally, attacks are frequently launched during weekends and nights, when penetrations in many cases take longer to detect. This multiplies the difficulty of promptly mobilizing and organizing a qualified mitigation team.

Progent provides a range of services for securing enterprises from ransomware penetrations. These include team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning capabilities from SentinelOne to discover and quarantine zero-day cyber attacks quickly. Progent in addition offers the assistance of experienced ransomware recovery consultants with the talent and perseverance to rebuild a compromised system as rapidly as possible.

Progent's Ransomware Restoration Services
Soon after a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to decipher all your information. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the vital parts of your Information Technology environment. Absent the availability of essential system backups, this calls for a broad range of skill sets, top notch project management, and the ability to work non-stop until the job is finished.

For decades, Progent has offered professional IT services for companies in Greensboro and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of experience gives Progent the skills to efficiently understand necessary systems and integrate the surviving parts of your computer network system following a ransomware event and configure them into a functioning system.

Progent's recovery group uses state-of-the-art project management systems to orchestrate the complex recovery process. Progent knows the urgency of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to get critical applications back on line as fast as possible.

Customer Story: A Successful Ransomware Penetration Recovery
A small business contacted Progent after their network was taken over by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state hackers, suspected of adopting strategies leaked from America's National Security Agency. Ryuk goes after specific companies with limited ability to sustain operational disruption and is among the most lucrative incarnations of ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has around 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's data backups had been on-line at the beginning of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom (more than $200K) and praying for the best, but ultimately brought in Progent.


"I cannot thank you enough in regards to the care Progent gave us throughout the most critical time of (our) company's survival. We may have had to pay the cybercriminals if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and important servers back into operation in less than seven days was beyond my wildest dreams. Each staff member I talked with or texted at Progent was hell bent on getting our company operational and was working breakneck pace on our behalf."

Progent worked together with the customer to quickly determine and prioritize the mission critical services that had to be recovered in order to resume business operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes event response best practices by halting the spread and removing active viruses. Progent then began the steps of rebuilding Windows Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server messaging will not function without Windows AD, and the businesses' accounting and MRP applications leveraged SQL Server, which depends on Active Directory for authentication to the data.

Within 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then accomplished setup and storage recovery of mission critical systems. All Exchange schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Offline Folder Files) on various desktop computers and laptops to recover email messages. A recent off-line backup of the customer's accounting/MRP systems made them able to restore these required applications back available to users. Although significant work remained to recover completely from the Ryuk attack, core services were restored quickly:


"For the most part, the production operation was never shut down and we made all customer sales."

During the following few weeks critical milestones in the restoration project were accomplished through tight collaboration between Progent team members and the customer:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory Control functions were fully functional.
  • A new Palo Alto 850 firewall was installed and configured.
  • Most of the desktops and laptops were back into operation.

"So much of what happened those first few days is nearly entirely a blur for me, but my management will not forget the urgency all of you accomplished to give us our business back. I've been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered. This time was a Herculean accomplishment."

Conclusion
A likely business-killing catastrophe was evaded due to hard-working experts, a broad array of knowledge, and tight collaboration. Although upon completion of forensics the crypto-ransomware penetration detailed here should have been blocked with up-to-date security solutions and NIST Cybersecurity Framework best practices, user training, and appropriate incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has proven experience in crypto-ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get some sleep after we got past the first week. All of you did an impressive job, and if any of your team is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Greensboro a portfolio of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services utilize next-generation AI technology to detect zero-day variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoints against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-based AV products. ProSight ASM protects on-premises and cloud resources and offers a unified platform to automate the complete threat lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and enable non-disruptive backup and rapid restoration of important files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security vendors to deliver web-based management and comprehensive security for all your inbound and outbound email. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device provides a further level of analysis for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and protect internal email traffic that stays within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and debug their connectivity hardware such as routers, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are always current, captures and manages the configuration of almost all devices connected to your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, expanding your network, finding appliances that need critical updates, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your network operating efficiently by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so that all looming issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior analysis technology to defend endpoint devices and physical and virtual servers against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based AV tools. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to automate the complete threat progression including filtering, identification, containment, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Call Desk managed services allow your IT group to offload Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal support team and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent supplement to your in-house IT support resources. End user interaction with the Help Desk, provision of support services, escalation, ticket generation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether incidents are resolved by your core IT support organization, by Progent's team, or both. Read more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. In addition to maximizing the security and functionality of your computer environment, Progent's patch management services permit your IT staff to concentrate on more strategic projects and tasks that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a secured online account and give your password you are requested to verify who you are via a unit that only you possess and that uses a different ("out-of-band") network channel. A wide range of out-of-band devices can be utilized for this added means of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For more information about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of in-depth management reporting utilities created to work with the industry's leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Greensboro Crypto-Ransomware Remediation Support Services, contact Progent at 800-462-8800 or go to Contact Progent.