Crypto-Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that poses an enterprise-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been around for many years and still inflict havoc. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as frequent as yet unnamed malware, not only do encryption of on-line data but also infect all accessible system backup. Information synchronized to the cloud can also be encrypted. In a vulnerable system, this can render automated restoration impossible and basically knocks the entire system back to zero.

Retrieving programs and data after a ransomware event becomes a sprint against the clock as the targeted business fights to stop the spread and remove the ransomware and to resume mission-critical activity. Since ransomware takes time to replicate, attacks are usually launched on weekends and holidays, when penetrations in many cases take more time to uncover. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable mitigation team.

Progent makes available an assortment of solutions for securing businesses from ransomware events. Among these are team member education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with machine learning technology from SentinelOne to identify and suppress new cyber attacks quickly. Progent also provides the services of expert ransomware recovery consultants with the track record and commitment to rebuild a breached system as urgently as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the needed codes to decrypt any of your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the critical elements of your Information Technology environment. Without the availability of essential system backups, this calls for a broad complement of skill sets, well-coordinated team management, and the willingness to work continuously until the job is complete.

For two decades, Progent has made available professional IT services for companies in Hialeah and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded advanced industry certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the skills to efficiently understand critical systems and re-organize the remaining components of your Information Technology system following a crypto-ransomware penetration and rebuild them into an operational network.

Progent's recovery team of experts deploys best of breed project management systems to orchestrate the complicated restoration process. Progent understands the urgency of working rapidly and together with a customer's management and IT resources to assign priority to tasks and to get key services back online as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Restoration
A customer contacted Progent after their company was taken over by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored cybercriminals, possibly using strategies leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with limited room for operational disruption and is among the most profitable versions of ransomware viruses. Headline organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area with around 500 employees. The Ryuk attack had disabled all business operations and manufacturing processes. Most of the client's backups had been directly accessible at the beginning of the attack and were damaged. The client was pursuing financing for paying the ransom demand (more than $200,000) and hoping for the best, but ultimately brought in Progent.


"I cannot thank you enough about the help Progent provided us during the most stressful period of (our) businesses survival. We had little choice but to pay the cyber criminals if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail system and key applications back into operation faster than seven days was amazing. Each staff member I worked with or messaged at Progent was laser focused on getting my company operational and was working 24 by 7 on our behalf."

Progent worked hand in hand the customer to quickly identify and prioritize the key applications that needed to be restored to make it possible to resume departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent adhered to AV/Malware Processes event response industry best practices by stopping lateral movement and removing active viruses. Progent then started the process of bringing back online Microsoft Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not function without Active Directory, and the businesses' accounting and MRP software used Microsoft SQL, which depends on Active Directory services for authentication to the databases.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and storage recovery on the most important systems. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover mail data. A recent off-line backup of the client's accounting/MRP systems made it possible to recover these vital programs back on-line. Although significant work remained to recover fully from the Ryuk virus, the most important services were returned to operations rapidly:


"For the most part, the production line operation did not miss a beat and we delivered all customer orders."

Throughout the next month critical milestones in the restoration project were achieved in close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory functions were 100% recovered.
  • A new Palo Alto 850 firewall was set up.
  • Nearly all of the user desktops and notebooks were operational.

"A lot of what occurred in the early hours is mostly a blur for me, but our team will not soon forget the urgency each of you accomplished to help get our business back. I've trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was a testament to your capabilities."

Conclusion
A probable business disaster was evaded through the efforts of hard-working professionals, a broad spectrum of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here could have been stopped with modern cyber security technology and security best practices, user education, and well designed security procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, mitigation, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for making it so I could get rested after we got through the first week. Everyone did an amazing effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Hialeah a variety of remote monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services include modern AI capability to detect zero-day variants of ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and offers a single platform to automate the complete malware attack lifecycle including protection, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that addresses your company's unique requirements and that allows you prove compliance with legal and industry data security standards. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also assist you to set up and test a backup and restore solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup operations and allow transparent backup and fast recovery of vital files/folders, apps, system images, plus virtual machines. ProSight DPS lets you recover from data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top information security vendors to deliver centralized control and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of inspection for inbound email. For outgoing email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, optimize and troubleshoot their connectivity hardware such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept current, captures and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, locating devices that need important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to keep your network operating efficiently by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that any looming issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to a different hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time spent trying to find critical information about your network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning technology to defend endpoint devices as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a single platform to manage the entire malware attack progression including protection, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Desk: Support Desk Managed Services
    Progent's Help Desk services enable your information technology staff to outsource Call Center services to Progent or divide responsibilities for Help Desk services transparently between your in-house network support staff and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a seamless supplement to your internal support staff. User access to the Help Desk, provision of support services, issue escalation, ticket generation and updates, efficiency measurement, and maintenance of the service database are consistent regardless of whether issues are taken care of by your corporate network support organization, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective solution for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information system. In addition to maximizing the protection and functionality of your IT environment, Progent's patch management services permit your IT staff to focus on more strategic initiatives and activities that derive maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you log into a protected application and enter your password you are asked to verify your identity on a unit that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be used for this added means of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate several verification devices. To learn more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time management reporting plug-ins created to work with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Hialeah Ransomware Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.