Crypto-Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level threat for businesses of all sizes poorly prepared for an assault. Multiple generations of ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause destruction. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as frequent unnamed newcomers, not only encrypt online critical data but also infiltrate any available system backups. Data synchronized to cloud environments can also be encrypted. In a poorly designed system, this can render automated restoration hopeless and effectively knocks the entire system back to zero.

Recovering programs and information following a ransomware event becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and eradicate the ransomware and to resume mission-critical activity. Due to the fact that crypto-ransomware requires time to move laterally, assaults are frequently launched during nights and weekends, when successful penetrations are likely to take longer to detect. This multiplies the difficulty of quickly assembling and orchestrating a capable mitigation team.

Progent offers an assortment of solutions for protecting organizations from ransomware attacks. These include user education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security solutions with machine learning capabilities from SentinelOne to identify and quarantine new cyber threats automatically. Progent in addition can provide the services of veteran crypto-ransomware recovery engineers with the track record and perseverance to restore a compromised system as soon as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware penetration, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will return the needed keys to unencrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the essential elements of your IT environment. Absent the availability of full data backups, this requires a broad complement of skills, top notch project management, and the ability to work non-stop until the task is complete.

For two decades, Progent has made available certified expert IT services for businesses in Stamford and across the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to rapidly determine critical systems and consolidate the remaining components of your computer network environment following a crypto-ransomware attack and configure them into a functioning network.

Progent's recovery group has state-of-the-art project management systems to coordinate the complicated recovery process. Progent knows the importance of acting rapidly and in unison with a client's management and IT resources to assign priority to tasks and to put critical services back on line as fast as humanly possible.

Client Story: A Successful Ransomware Attack Response
A business escalated to Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is generally considered to have been created by North Korean government sponsored cybercriminals, suspected of using approaches exposed from the U.S. National Security Agency. Ryuk targets specific businesses with little or no tolerance for disruption and is one of the most lucrative instances of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago with around 500 employees. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the start of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and praying for the best, but in the end utilized Progent.


"I can�t speak enough about the care Progent provided us during the most fearful time of (our) businesses survival. We most likely would have paid the hackers behind this attack except for the confidence the Progent group afforded us. That you were able to get our e-mail and important servers back into operation sooner than 1 week was something I thought impossible. Each person I worked with or texted at Progent was hell bent on getting us back on-line and was working non-stop on our behalf."

Progent worked together with the customer to rapidly get our arms around and prioritize the critical elements that had to be addressed in order to resume departmental operations:

  • Microsoft Active Directory
  • Email
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping the spread and disinfecting systems. Progent then started the process of recovering Microsoft AD, the core of enterprise environments built on Microsoft technology. Exchange messaging will not work without AD, and the customer�s accounting and MRP applications leveraged Microsoft SQL, which depends on Windows AD for authentication to the information.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then completed rebuilding and storage recovery on critical servers. All Exchange schema and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to locate local OST files (Microsoft Outlook Off-Line Folder Files) on staff workstations to recover mail data. A not too old offline backup of the client's financials/ERP systems made them able to return these essential programs back online. Although a lot of work remained to recover completely from the Ryuk virus, the most important systems were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer shipments."

During the next month key milestones in the recovery project were completed through close collaboration between Progent team members and the customer:

  • In-house web applications were restored with no loss of information.
  • The MailStore Exchange Server with over four million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory functions were completely operational.
  • A new Palo Alto 850 security appliance was brought online.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"So much of what transpired those first few days is nearly entirely a blur for me, but we will not forget the urgency each and every one of the team put in to give us our company back. I�ve utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was a life saver."

Conclusion
A possible enterprise-killing disaster was averted by top-tier experts, a wide range of technical expertise, and close collaboration. Although in retrospect the ransomware virus penetration detailed here should have been identified and disabled with modern cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out security procedures for information protection and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus defense, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for allowing me to get some sleep after we got through the initial push. Everyone did an amazing effort, and if any of your team is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Stamford a range of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services utilize next-generation machine learning capability to detect zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you demonstrate compliance with government and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent's consultants can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable transparent backup and rapid recovery of important files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, human mistakes, malicious employees, or application bugs. Managed services available in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading data security companies to deliver web-based management and world-class protection for your email traffic. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of inspection for incoming email. For outgoing email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, monitor, optimize and troubleshoot their connectivity appliances like routers, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, locating devices that require important software patches, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so that all looming issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect data about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior analysis technology to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily get by legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to automate the complete threat progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Call Center managed services allow your IT team to outsource Call Center services to Progent or divide activity for Service Desk support transparently between your internal network support group and Progent's extensive pool of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your corporate IT support team. Client interaction with the Help Desk, provision of support services, problem escalation, ticket generation and tracking, efficiency measurement, and maintenance of the support database are consistent regardless of whether issues are taken care of by your in-house IT support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. In addition to optimizing the security and functionality of your computer network, Progent's patch management services allow your in-house IT staff to concentrate on line-of-business initiatives and activities that derive the highest business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports single-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected online account and enter your password you are asked to confirm your identity on a unit that only you possess and that uses a separate network channel. A broad range of out-of-band devices can be used as this added form of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You can register several validation devices. For details about Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services.
For 24x7 Stamford Crypto-Ransomware Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.