Crypto-Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level threat for businesses of all sizes unprepared for an assault. Different versions of crypto-ransomware like the CryptoLocker, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to inflict destruction. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus daily unnamed malware, not only do encryption of online data but also infect all configured system protection. Files replicated to the cloud can also be ransomed. In a poorly designed data protection solution, this can render automatic restoration impossible and basically sets the network back to zero.

Getting back programs and information after a ransomware intrusion becomes a race against time as the targeted business tries its best to stop lateral movement, remove the ransomware, and resume business-critical operations. Due to the fact that ransomware needs time to replicate, assaults are usually launched during nights and weekends, when penetrations tend to take longer to recognize. This compounds the difficulty of rapidly assembling and orchestrating an experienced mitigation team.

Progent has a range of solutions for protecting enterprises from ransomware attacks. Among these are team member training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to detect and disable new cyber attacks automatically. Progent in addition can provide the services of expert crypto-ransomware recovery engineers with the skills and perseverance to reconstruct a breached system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that cyber hackers will respond with the codes to decrypt all your files. Kaspersky ascertained that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The alternative is to re-install the essential elements of your IT environment. Absent access to full data backups, this calls for a broad complement of skill sets, well-coordinated project management, and the ability to work non-stop until the job is finished.

For twenty years, Progent has made available expert IT services for businesses across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience affords Progent the capability to knowledgably determine important systems and integrate the remaining parts of your computer network system following a ransomware attack and assemble them into a functioning network.

Progent's security team of experts uses top notch project management systems to coordinate the complex recovery process. Progent appreciates the importance of acting quickly and in unison with a client's management and IT resources to assign priority to tasks and to put the most important systems back on line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A small business hired Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored criminal gangs, possibly using algorithms exposed from the U.S. NSA organization. Ryuk goes after specific companies with little or no room for operational disruption and is one of the most lucrative iterations of ransomware malware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago and has around 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing processes. Most of the client's information backups had been on-line at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and hoping for good luck, but in the end made the decision to use Progent.


"I can't tell you enough about the expertise Progent gave us throughout the most critical period of (our) businesses existence. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent team gave us. That you could get our e-mail system and production applications back on-line faster than a week was incredible. Every single consultant I talked with or texted at Progent was totally committed on getting us restored and was working non-stop on our behalf."

Progent worked together with the customer to rapidly understand and prioritize the key services that had to be restored to make it possible to continue business functions:

  • Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To start, Progent followed ransomware incident mitigation industry best practices by isolating and removing active viruses. Progent then started the steps of restoring Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the client's MRP software leveraged Microsoft SQL Server, which requires Active Directory services for authentication to the data.

In less than 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then assisted with rebuilding and hard drive recovery on the most important servers. All Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Offline Data Files) on staff PCs and laptops in order to recover email messages. A recent offline backup of the businesses financials/ERP systems made them able to restore these vital services back available to users. Although major work needed to be completed to recover totally from the Ryuk virus, critical services were recovered quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer deliverables."

During the next month critical milestones in the recovery process were accomplished in tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were returned to operation without losing any data.
  • The MailStore Exchange Server containing more than four million archived messages was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory modules were completely restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Ninety percent of the user workstations were operational.

"So much of what was accomplished during the initial response is nearly entirely a haze for me, but our team will not forget the dedication each and every one of your team accomplished to help get our company back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A likely business extinction disaster was averted with hard-working professionals, a broad spectrum of knowledge, and close collaboration. Although in post mortem the ransomware penetration detailed here should have been identified and disabled with up-to-date cyber security technology and ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thanks very much for letting me get rested after we made it past the most critical parts. All of you did an fabulous effort, and if any of your team is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Eugene a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services include modern AI capability to uncover zero-day variants of crypto-ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which routinely get by traditional signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the entire threat lifecycle including protection, detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services, a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup processes and enable non-disruptive backup and fast restoration of vital files, apps, system images, plus virtual machines. ProSight DPS lets you avoid data loss caused by hardware failures, natural calamities, fire, malware like ransomware, human error, ill-intentioned insiders, or application glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to provide web-based control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's cloud filter serves as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to external attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of analysis for inbound email. For outgoing email, the local security gateway offers AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, monitor, enhance and troubleshoot their networking appliances like switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that network maps are always current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when problems are discovered. By automating tedious management processes, WAN Watch can cut hours off common chores such as network mapping, reconfiguring your network, finding devices that require important updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so any looming problems can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hosting environment without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs or domains. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you're planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based analysis technology to guard endpoint devices as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus products. Progent ASM services safeguard local and cloud resources and provides a single platform to manage the entire threat lifecycle including protection, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Help Center managed services enable your IT staff to outsource Help Desk services to Progent or split activity for support services seamlessly between your internal network support resources and Progent's nationwide roster of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a transparent supplement to your corporate IT support organization. End user interaction with the Help Desk, provision of support services, problem escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your core support group, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the security and functionality of your IT environment, Progent's software/firmware update management services free up time for your in-house IT staff to concentrate on line-of-business initiatives and tasks that deliver the highest business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a protected application and give your password you are requested to verify your identity via a device that only you have and that uses a separate network channel. A broad selection of devices can be utilized as this second means of authentication including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You may designate multiple verification devices. To learn more about Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time and in-depth reporting plug-ins created to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-Hour Eugene Crypto-Ransomware Cleanup Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.