Crypto-Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Different versions of crypto-ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to cause havoc. Modern variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus additional unnamed viruses, not only encrypt on-line critical data but also infiltrate many available system restores and backups. Data synchronized to the cloud can also be ransomed. In a vulnerable system, it can make automatic restore operations impossible and basically sets the datacenter back to square one.

Recovering applications and information following a ransomware outage becomes a sprint against time as the targeted business struggles to stop lateral movement and remove the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, assaults are usually launched during weekends and nights, when successful attacks typically take more time to discover. This compounds the difficulty of promptly assembling and orchestrating a qualified mitigation team.

Progent provides a variety of solutions for protecting organizations from crypto-ransomware attacks. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of the latest generation security appliances with machine learning technology from SentinelOne to identify and quarantine day-zero cyber threats intelligently. Progent also can provide the assistance of expert ransomware recovery professionals with the talent and commitment to restore a breached system as quickly as possible.

Progent's Ransomware Restoration Help
After a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that merciless criminals will respond with the keys to decipher any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data even after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of essential system backups, this requires a wide range of skills, top notch team management, and the capability to work 24x7 until the task is finished.

For twenty years, Progent has made available certified expert IT services for businesses in Chatsworth and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the skills to knowledgably identify necessary systems and re-organize the surviving pieces of your IT system following a crypto-ransomware attack and rebuild them into a functioning network.

Progent's recovery team has top notch project management tools to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and in unison with a customer's management and IT staff to prioritize tasks and to put essential applications back online as soon as possible.

Business Case Study: A Successful Ransomware Virus Restoration
A business engaged Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean state hackers, possibly using techniques exposed from the U.S. National Security Agency. Ryuk targets specific companies with little room for disruption and is among the most lucrative examples of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk penetration had brought down all essential operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the attack and were damaged. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and praying for the best, but ultimately called Progent.


"I cannot speak enough in regards to the care Progent provided us throughout the most fearful time of (our) businesses survival. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and critical applications back sooner than a week was earth shattering. Every single consultant I got help from or e-mailed at Progent was hell bent on getting us operational and was working 24/7 to bail us out."

Progent worked together with the customer to rapidly get our arms around and prioritize the essential areas that needed to be addressed in order to restart departmental functions:

  • Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus event response best practices by isolating and clearing up compromised systems. Progent then began the steps of bringing back online Microsoft Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the customer's financials and MRP system leveraged Microsoft SQL Server, which needs Windows AD for access to the information.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of critical systems. All Exchange schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to locate local OST data files (Microsoft Outlook Offline Data Files) on user PCs and laptops to recover mail data. A not too old offline backup of the client's manufacturing systems made them able to return these required services back online. Although significant work was left to recover totally from the Ryuk virus, critical services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer sales."

During the next month critical milestones in the restoration process were accomplished in tight collaboration between Progent consultants and the client:

  • In-house web sites were returned to operation without losing any information.
  • The MailStore Server with over four million historical emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto 850 security appliance was installed.
  • Most of the desktop computers were operational.

"Much of what went on in the early hours is mostly a blur for me, but I will not soon forget the care all of you accomplished to give us our company back. I have been working with Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A likely business-ending disaster was avoided by dedicated professionals, a wide spectrum of technical expertise, and tight collaboration. Although in retrospect the ransomware virus penetration described here could have been blocked with modern security systems and ISO/IEC 27001 best practices, team training, and appropriate security procedures for information protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has proven experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we made it through the initial fire. Everyone did an incredible effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Chatsworth a variety of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services incorporate modern AI capability to detect new strains of ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including blocking, identification, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth protection for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for urgent attention. Progent's consultants can also assist your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services, a selection of management offerings that deliver backup-as-a-service. ProSight DPS products manage and monitor your backup operations and allow non-disruptive backup and rapid recovery of important files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, malicious employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to deliver centralized management and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper level of analysis for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, track, reconfigure and troubleshoot their networking hardware like routers and switches, firewalls, and access points plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always updated, captures and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating tedious network management processes, WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that require important software patches, or resolving performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by checking the state of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so any looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning tools to guard endpoints as well as servers and VMs against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-based anti-virus tools. Progent ASM services safeguard on-premises and cloud resources and provides a single platform to address the entire threat progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Center: Call Center Managed Services
    Progent's Call Desk services enable your information technology group to offload Support Desk services to Progent or divide activity for Help Desk services transparently between your internal network support resources and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent supplement to your corporate support team. Client access to the Help Desk, provision of support services, escalation, trouble ticket generation and updates, efficiency metrics, and management of the support database are cohesive whether issues are taken care of by your corporate support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving information system. Besides maximizing the protection and reliability of your computer network, Progent's software/firmware update management services allow your IT team to focus on line-of-business initiatives and tasks that derive the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity verification on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected application and give your password you are asked to confirm your identity on a device that only you have and that is accessed using a separate network channel. A wide selection of out-of-band devices can be utilized as this second form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may register multiple verification devices. To find out more about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication (2FA) services.
For Chatsworth 24x7x365 Crypto Repair Experts, contact Progent at 800-462-8800 or go to Contact Progent.