Crypto-Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that poses an extinction-level danger for businesses vulnerable to an assault. Multiple generations of crypto-ransomware like the CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for a long time and continue to cause harm. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with additional unnamed newcomers, not only encrypt on-line information but also infiltrate any configured system protection mechanisms. Data replicated to the cloud can also be ransomed. In a vulnerable system, this can render automated recovery impossible and basically knocks the entire system back to square one.

Getting back online applications and information after a ransomware event becomes a sprint against time as the targeted organization fights to contain the damage and cleanup the crypto-ransomware and to resume mission-critical activity. Due to the fact that ransomware needs time to spread, attacks are usually sprung during nights and weekends, when successful penetrations may take more time to detect. This compounds the difficulty of quickly marshalling and coordinating a capable response team.

Progent has a range of solutions for protecting organizations from crypto-ransomware events. These include user training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of next-generation security solutions with machine learning technology from SentinelOne to identify and extinguish day-zero cyber threats automatically. Progent in addition can provide the services of expert crypto-ransomware recovery consultants with the skills and perseverance to re-deploy a compromised environment as quickly as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware event, paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the needed keys to unencrypt any of your data. Kaspersky determined that 17% of ransomware victims never restored their files after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the essential components of your Information Technology environment. Absent the availability of full information backups, this calls for a wide range of skills, well-coordinated team management, and the ability to work continuously until the recovery project is complete.

For two decades, Progent has offered professional Information Technology services for companies in Eugene and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience provides Progent the skills to knowledgably understand necessary systems and organize the surviving pieces of your computer network system following a ransomware event and configure them into an operational system.

Progent's security group utilizes powerful project management tools to coordinate the complex recovery process. Progent appreciates the urgency of working rapidly and in unison with a client's management and IT staff to assign priority to tasks and to get critical systems back on line as fast as humanly possible.

Client Story: A Successful Crypto-Ransomware Incident Restoration
A customer hired Progent after their company was penetrated by the Ryuk ransomware. Ryuk is believed to have been deployed by Northern Korean government sponsored criminal gangs, suspected of adopting strategies leaked from the United States NSA organization. Ryuk seeks specific businesses with little or no room for operational disruption and is among the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has about 500 employees. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the beginning of the intrusion and were damaged. The client was taking steps for paying the ransom (in excess of $200K) and hoping for good luck, but in the end utilized Progent.


"I cannot speak enough in regards to the expertise Progent gave us throughout the most critical period of (our) company's survival. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and essential applications back sooner than five days was beyond my wildest dreams. Each expert I spoke to or texted at Progent was laser focused on getting us back on-line and was working day and night on our behalf."

Progent worked together with the client to quickly understand and prioritize the most important elements that needed to be restored in order to restart departmental operations:

  • Microsoft Active Directory
  • Electronic Mail
  • MRP System
To start, Progent followed Anti-virus penetration mitigation best practices by stopping the spread and performing virus removal steps. Progent then began the process of restoring Windows Active Directory, the foundation of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the businesses' MRP system utilized Microsoft SQL, which needs Windows AD for authentication to the data.

In less than 2 days, Progent was able to re-build Active Directory to its pre-penetration state. Progent then assisted with reinstallations and hard drive recovery of needed systems. All Microsoft Exchange Server data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Data Files) on user desktop computers to recover email messages. A not too old offline backup of the client's financials/MRP systems made it possible to recover these essential programs back on-line. Although significant work still had to be done to recover totally from the Ryuk virus, essential systems were returned to operations quickly:


"For the most part, the production manufacturing operation never missed a beat and we produced all customer orders."

Over the next month key milestones in the recovery project were accomplished in close collaboration between Progent consultants and the customer:

  • Self-hosted web sites were brought back up with no loss of data.
  • The MailStore Server containing more than 4 million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were completely recovered.
  • A new Palo Alto 850 security appliance was brought online.
  • Nearly all of the user PCs were functioning as before the incident.

"So much of what transpired those first few days is mostly a haze for me, but I will not soon forget the countless hours all of you put in to help get our company back. I have utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was the most impressive ever."

Conclusion
A possible business-ending disaster was avoided due to hard-working experts, a wide spectrum of knowledge, and tight teamwork. Although upon completion of forensics the ransomware virus penetration detailed here should have been disabled with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed security procedures for information protection and applying software patches, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, remember that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), I'm grateful for allowing me to get rested after we got over the initial push. All of you did an impressive effort, and if any of your guys is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Eugene a portfolio of remote monitoring and security assessment services to assist you to reduce the threat from ransomware. These services utilize next-generation machine learning technology to detect zero-day strains of ransomware that are able to get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to address the entire threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your company's specific needs and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent's consultants can also assist you to install and test a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with leading backup technology companies to produce ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and allow transparent backup and rapid restoration of critical files/folders, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top information security companies to provide centralized management and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of analysis for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to diagram, track, enhance and debug their connectivity appliances such as switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding appliances that need important software patches, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating efficiently by checking the health of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your designated IT management staff and your Progent consultant so all looming problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved immediately to a different hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect data related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior-based machine learning technology to defend endpoints and servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-matching AV tools. Progent ASM services safeguard local and cloud-based resources and offers a single platform to address the complete threat progression including protection, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Support Center managed services allow your IT staff to offload Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your in-house support staff and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth extension of your corporate network support resources. Client access to the Help Desk, provision of support services, issue escalation, trouble ticket creation and tracking, efficiency metrics, and management of the service database are cohesive whether incidents are taken care of by your in-house network support staff, by Progent, or by a combination. Learn more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business projects and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a protected online account and give your password you are asked to confirm your identity on a device that only you possess and that is accessed using a separate network channel. A wide range of out-of-band devices can be utilized as this added means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate several validation devices. For details about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time and in-depth management reporting plug-ins designed to work with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7 Eugene Crypto-Ransomware Removal Consulting, call Progent at 800-462-8800 or go to Contact Progent.