Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyber pandemic that poses an enterprise-level danger for organizations unprepared for an assault. Multiple generations of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still cause harm. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as daily as yet unnamed malware, not only do encryption of online data files but also infiltrate all configured system backups. Files synchronized to the cloud can also be corrupted. In a poorly architected system, it can render any restoration hopeless and basically sets the network back to square one.

Getting back online programs and information following a crypto-ransomware event becomes a race against time as the targeted business tries its best to stop lateral movement and clear the virus and to restore enterprise-critical activity. Because ransomware requires time to move laterally, attacks are frequently launched during nights and weekends, when attacks may take longer to discover. This compounds the difficulty of promptly marshalling and organizing a capable mitigation team.

Progent makes available a range of help services for securing organizations from ransomware attacks. Among these are team member education to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security appliances with AI technology from SentinelOne to detect and extinguish zero-day threats rapidly. Progent also can provide the services of veteran ransomware recovery engineers with the track record and commitment to re-deploy a compromised network as quickly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware attack, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to decipher any or all of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to setup from scratch the critical parts of your Information Technology environment. Without the availability of essential data backups, this requires a broad range of skill sets, top notch project management, and the capability to work non-stop until the task is complete.

For two decades, Progent has provided certified expert IT services for companies in Baton Rouge and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of experience affords Progent the capability to quickly ascertain critical systems and integrate the surviving components of your computer network system after a ransomware event and configure them into an operational network.

Progent's recovery team of experts deploys top notch project management systems to coordinate the sophisticated recovery process. Progent appreciates the importance of acting quickly and in unison with a customer's management and Information Technology staff to assign priority to tasks and to put the most important applications back on line as fast as humanly possible.

Case Study: A Successful Ransomware Intrusion Restoration
A client contacted Progent after their network system was crashed by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state hackers, suspected of using techniques leaked from the U.S. NSA organization. Ryuk attacks specific companies with little or no tolerance for operational disruption and is among the most lucrative iterations of ransomware viruses. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in Chicago with around 500 workers. The Ryuk event had paralyzed all business operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for the best, but ultimately made the decision to use Progent.


"I can't tell you enough about the support Progent provided us throughout the most fearful period of (our) businesses survival. We would have paid the cyber criminals except for the confidence the Progent group provided us. The fact that you could get our messaging and important applications back on-line quicker than seven days was incredible. Each expert I worked with or texted at Progent was absolutely committed on getting us restored and was working 24 by 7 to bail us out."

Progent worked together with the client to quickly get our arms around and assign priority to the critical elements that had to be addressed to make it possible to restart business operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes penetration mitigation industry best practices by stopping the spread and removing active viruses. Progent then initiated the work of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's financials and MRP applications leveraged SQL Server, which requires Active Directory for security authorization to the data.

In less than two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then completed setup and hard drive recovery on essential servers. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find local OST data files (Outlook Email Offline Data Files) on team desktop computers to recover email information. A not too old off-line backup of the client's accounting/ERP software made it possible to restore these required services back on-line. Although a lot of work still had to be done to recover completely from the Ryuk attack, core services were recovered rapidly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer shipments."

Throughout the next couple of weeks key milestones in the restoration project were achieved through tight collaboration between Progent team members and the customer:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Exchange Server exceeding 4 million historical messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory functions were completely restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • Nearly all of the desktops and laptops were operational.

"A lot of what went on that first week is nearly entirely a fog for me, but my management will not forget the commitment each and every one of your team accomplished to help get our company back. I have been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This time was a stunning achievement."

Conclusion
A potential business-killing catastrophe was dodged due to results-oriented professionals, a broad spectrum of knowledge, and close teamwork. Although in retrospect the crypto-ransomware virus incident detailed here could have been identified and prevented with current cyber security systems and recognized best practices, team training, and appropriate security procedures for information backup and proper patching controls, the reality remains that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has proven experience in ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we made it over the most critical parts. All of you did an amazing job, and if any of your team is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Baton Rouge a portfolio of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation machine learning capability to detect zero-day strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to address the entire malware attack lifecycle including blocking, identification, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering via leading-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP deployment that meets your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services automate and track your data backup processes and enable non-disruptive backup and rapid recovery of critical files/folders, apps, system images, plus VMs. ProSight DPS lets you recover from data loss resulting from equipment failures, natural calamities, fire, malware such as ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to provide web-based management and world-class protection for all your email traffic. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps most threats from making it to your security perimeter. This reduces your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper level of analysis for incoming email. For outbound email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, optimize and troubleshoot their networking hardware like switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends alerts when problems are detected. By automating time-consuming network management processes, WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that need important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to keep your network operating efficiently by tracking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management staff and your assigned Progent consultant so all looming issues can be addressed before they have a chance to disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and protect information about your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis tools to defend endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. Progent ASM services protect local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Desk: Help Desk Managed Services
    Progent's Help Desk managed services allow your IT staff to outsource Call Center services to Progent or divide responsibilities for Help Desk services transparently between your internal support resources and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless supplement to your corporate network support staff. Client interaction with the Service Desk, delivery of support services, issue escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are cohesive regardless of whether incidents are taken care of by your internal support resources, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of all sizes a flexible and affordable solution for evaluating, testing, scheduling, implementing, and tracking updates to your dynamic information system. In addition to maximizing the protection and functionality of your IT network, Progent's patch management services allow your IT staff to focus on more strategic initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other personal devices. Using 2FA, when you log into a secured application and give your password you are asked to confirm your identity on a unit that only you have and that is accessed using a separate network channel. A wide selection of devices can be utilized for this added means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple validation devices. For more information about ProSight Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time management reporting tools created to integrate with the industry's top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7x365 Baton Rouge Crypto Removal Consulting, contact Progent at 800-462-8800 or go to Contact Progent.