Crypto-Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that represents an extinction-level danger for businesses vulnerable to an attack. Versions of ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for years and continue to cause damage. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional as yet unnamed malware, not only encrypt on-line data files but also infect most configured system backups. Files synched to the cloud can also be ransomed. In a vulnerable data protection solution, this can make automatic recovery useless and basically knocks the entire system back to zero.

Getting back online services and information after a ransomware attack becomes a race against the clock as the victim struggles to contain the damage, clear the ransomware, and resume business-critical operations. Since crypto-ransomware requires time to replicate, assaults are frequently sprung at night, when successful penetrations are likely to take more time to identify. This multiplies the difficulty of promptly marshalling and coordinating an experienced mitigation team.

Progent offers a variety of support services for protecting businesses from ransomware penetrations. Among these are team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security appliances with AI technology from SentinelOne to identify and disable zero-day threats rapidly. Progent also offers the services of experienced ransomware recovery consultants with the skills and commitment to rebuild a breached network as rapidly as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that merciless criminals will return the needed codes to unencrypt any of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom can reach millions of dollars. The other path is to setup from scratch the essential parts of your Information Technology environment. Absent access to complete information backups, this calls for a broad complement of skills, professional project management, and the willingness to work non-stop until the task is finished.

For two decades, Progent has provided expert IT services for businesses across the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of expertise affords Progent the skills to efficiently determine important systems and integrate the surviving parts of your Information Technology system following a crypto-ransomware attack and assemble them into a functioning system.

Progent's ransomware team uses best of breed project management systems to coordinate the complex restoration process. Progent understands the importance of acting quickly and in concert with a client's management and IT resources to prioritize tasks and to get the most important services back online as fast as possible.

Customer Story: A Successful Ransomware Intrusion Recovery
A small business escalated to Progent after their network was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state hackers, possibly using techniques leaked from the United States NSA organization. Ryuk attacks specific businesses with little or no tolerance for operational disruption and is one of the most lucrative examples of ransomware. Headline targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area and has about 500 staff members. The Ryuk penetration had brought down all business operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end made the decision to use Progent.


"I can't say enough about the expertise Progent provided us during the most stressful time of (our) company's life. We most likely would have paid the cyber criminals except for the confidence the Progent group provided us. The fact that you could get our e-mail and production applications back into operation faster than seven days was amazing. Each person I got help from or texted at Progent was laser focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked with the customer to quickly assess and prioritize the critical systems that had to be restored to make it possible to resume business operations:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent adhered to Anti-virus incident response best practices by isolating and cleaning systems of viruses. Progent then initiated the work of bringing back online Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Exchange email will not work without Windows AD, and the customer's MRP applications utilized SQL Server, which depends on Active Directory for security authorization to the information.

Within 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery on needed servers. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on staff desktop computers in order to recover mail information. A recent off-line backup of the client's financials/ERP software made them able to recover these required services back online. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, the most important services were recovered rapidly:


"For the most part, the production operation ran fairly normal throughout and we made all customer shipments."

Over the next few weeks key milestones in the recovery process were completed in close cooperation between Progent team members and the customer:

  • Internal web sites were restored with no loss of data.
  • The MailStore Exchange Server exceeding four million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were fully operational.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user workstations were back into operation.

"A huge amount of what transpired during the initial response is mostly a fog for me, but my management will not forget the care each of your team put in to give us our company back. I've utilized Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This situation was a stunning achievement."

Conclusion
A possible business-killing disaster was averted through the efforts of hard-working professionals, a wide range of subject matter expertise, and tight teamwork. Although in post mortem the ransomware attack described here could have been stopped with advanced cyber security solutions and security best practices, user education, and well designed security procedures for data protection and applying software patches, the fact remains that state-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thank you for making it so I could get rested after we got past the initial push. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Des Moines a variety of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services utilize next-generation AI technology to detect zero-day variants of ransomware that can get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to manage the entire threat lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge tools incorporated within one agent accessible from a unified console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP environment that meets your company's specific needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your backup operations and allow transparent backup and fast recovery of critical files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss resulting from equipment failures, natural disasters, fire, malware like ransomware, user mistakes, malicious insiders, or application bugs. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver centralized control and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance provides a further layer of inspection for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, track, optimize and troubleshoot their networking appliances like routers, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates alerts when issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common chores like network mapping, expanding your network, locating devices that require critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your specified IT staff and your assigned Progent consultant so any looming problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs or domains. By updating and managing your IT documentation, you can eliminate as much as 50% of time thrown away trying to find critical information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based analysis technology to defend endpoints as well as physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. Progent ASM services protect local and cloud resources and provides a unified platform to automate the complete threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Call Center managed services permit your IT group to offload Support Desk services to Progent or divide activity for support services transparently between your internal network support resources and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth extension of your in-house support resources. User access to the Service Desk, delivery of technical assistance, escalation, ticket generation and tracking, performance metrics, and management of the service database are consistent whether issues are taken care of by your internal network support organization, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information system. In addition to optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic projects and tasks that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a protected application and enter your password you are asked to verify who you are on a unit that only you have and that is accessed using a different network channel. A broad selection of devices can be used as this added means of authentication such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register several validation devices. To learn more about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting tools designed to integrate with the leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Des Moines CryptoLocker Repair Experts, call Progent at 800-462-8800 or go to Contact Progent.