Crypto-Ransomware : Your Feared IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyber pandemic that represents an existential danger for businesses of all sizes unprepared for an attack. Multiple generations of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for a long time and continue to cause damage. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with daily as yet unnamed viruses, not only do encryption of online data but also infiltrate many accessible system backups. Data synchronized to cloud environments can also be ransomed. In a poorly designed environment, this can render automated restoration hopeless and basically knocks the network back to square one.

Retrieving applications and data following a ransomware intrusion becomes a sprint against time as the targeted business fights to contain the damage and remove the ransomware and to restore mission-critical operations. Because crypto-ransomware takes time to replicate, assaults are often launched at night, when penetrations in many cases take longer to notice. This multiplies the difficulty of promptly marshalling and organizing a knowledgeable mitigation team.

Progent has an assortment of services for securing businesses from crypto-ransomware events. Among these are team training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and extinguish new threats rapidly. Progent also provides the services of veteran ransomware recovery professionals with the skills and commitment to restore a breached network as urgently as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will provide the codes to decipher all your files. Kaspersky determined that 17% of crypto-ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to piece back together the essential components of your Information Technology environment. Without the availability of essential system backups, this calls for a broad complement of skill sets, top notch project management, and the ability to work non-stop until the recovery project is over.

For twenty years, Progent has offered certified expert IT services for companies in Fargo and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably understand necessary systems and re-organize the remaining components of your network system after a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's recovery team has powerful project management applications to coordinate the complex restoration process. Progent understands the importance of acting quickly and in concert with a customer's management and IT team members to prioritize tasks and to put the most important systems back online as fast as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business escalated to Progent after their company was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, suspected of using strategies leaked from America's NSA organization. Ryuk seeks specific companies with little or no ability to sustain disruption and is among the most lucrative incarnations of crypto-ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with about 500 workers. The Ryuk penetration had shut down all business operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (more than two hundred thousand dollars) and hoping for good luck, but in the end utilized Progent.


"I can't say enough in regards to the support Progent gave us throughout the most fearful time of (our) businesses survival. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent group afforded us. The fact that you were able to get our messaging and critical applications back into operation sooner than a week was something I thought impossible. Every single consultant I spoke to or texted at Progent was hell bent on getting our company operational and was working all day and night to bail us out."

Progent worked with the customer to rapidly assess and assign priority to the key areas that had to be recovered in order to resume business operations:

  • Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed Anti-virus incident mitigation best practices by isolating and removing active viruses. Progent then began the process of restoring Windows Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange email will not function without AD, and the client's MRP software used Microsoft SQL, which needs Windows AD for access to the databases.

Within 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then assisted with setup and storage recovery on key applications. All Exchange data and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Outlook Email Offline Data Files) on various PCs and laptops to recover mail information. A recent offline backup of the client's financials/MRP systems made them able to restore these required services back online for users. Although a large amount of work still had to be done to recover completely from the Ryuk event, core services were recovered rapidly:


"For the most part, the manufacturing operation showed little impact and we made all customer shipments."

During the next month important milestones in the restoration project were achieved through close cooperation between Progent team members and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were fully recovered.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Ninety percent of the desktop computers were back into operation.

"A huge amount of what was accomplished in the early hours is mostly a blur for me, but my team will not forget the commitment each of you put in to give us our company back. I have utilized Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered. This event was a Herculean accomplishment."

Conclusion
A possible company-ending disaster was avoided with top-tier experts, a broad range of knowledge, and close collaboration. Although in hindsight the ransomware penetration described here should have been identified and blocked with up-to-date security technology and recognized best practices, user training, and properly executed security procedures for backup and applying software patches, the reality remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incident, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for letting me get rested after we got over the most critical parts. All of you did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Fargo a portfolio of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning technology to uncover new strains of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to address the complete threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools incorporated within one agent accessible from a single control. Progent's security and virtualization experts can help you to design and implement a ProSight ESP environment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate action. Progent's consultants can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and enable transparent backup and rapid restoration of important files, apps, system images, and VMs. ProSight DPS helps you protect against data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, human mistakes, malicious insiders, or application glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading data security vendors to provide centralized management and world-class protection for your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, optimize and debug their connectivity appliances such as switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, finding appliances that need important updates, or isolating performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the state of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT staff and your Progent engineering consultant so any potential issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior analysis tools to guard endpoints and servers and VMs against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Support Desk services enable your information technology group to offload Call Center services to Progent or split responsibilities for support services transparently between your in-house network support resources and Progent's nationwide pool of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a seamless supplement to your in-house IT support staff. Client interaction with the Help Desk, delivery of support services, problem escalation, ticket generation and updates, performance measurement, and maintenance of the support database are cohesive regardless of whether issues are resolved by your core support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic information network. Besides maximizing the protection and functionality of your computer environment, Progent's patch management services permit your IT team to focus on more strategic projects and activities that derive maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a secured application and enter your password you are asked to verify who you are via a device that only you possess and that uses a different network channel. A broad range of devices can be utilized as this added form of authentication including a smartphone or wearable, a hardware token, a landline phone, etc. You can designate multiple validation devices. To find out more about Duo identity validation services, go to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time management reporting utilities created to work with the top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Fargo 24-Hour Crypto Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.