Crypto-Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that poses an enterprise-level danger for organizations poorly prepared for an attack. Multiple generations of ransomware such as Reveton, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and continue to cause damage. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with frequent unnamed newcomers, not only do encryption of online data but also infect many accessible system protection. Information synchronized to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can make automated restore operations hopeless and basically knocks the network back to zero.

Recovering services and data following a ransomware attack becomes a race against the clock as the targeted organization fights to stop lateral movement and clear the ransomware and to restore mission-critical activity. Because crypto-ransomware takes time to move laterally, penetrations are usually sprung during nights and weekends, when successful penetrations tend to take longer to uncover. This compounds the difficulty of quickly assembling and orchestrating a qualified response team.

Progent offers a range of solutions for protecting enterprises from ransomware penetrations. These include staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and quarantine zero-day cyber attacks automatically. Progent in addition can provide the assistance of experienced crypto-ransomware recovery engineers with the skills and commitment to restore a breached system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the keys to unencrypt all your data. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the essential parts of your IT environment. Absent access to full system backups, this requires a broad range of skills, professional team management, and the ability to work continuously until the recovery project is complete.

For two decades, Progent has made available expert Information Technology services for companies in Minneapolis and throughout the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have earned top certifications in key technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise gives Progent the ability to quickly determine important systems and consolidate the remaining parts of your Information Technology environment following a ransomware attack and configure them into an operational network.

Progent's ransomware team of experts utilizes best of breed project management tools to orchestrate the sophisticated restoration process. Progent appreciates the urgency of working swiftly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to get critical applications back on-line as fast as humanly possible.

Client Story: A Successful Ransomware Intrusion Response
A small business sought out Progent after their company was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, suspected of adopting technology leaked from the United States NSA organization. Ryuk goes after specific organizations with little or no ability to sustain operational disruption and is one of the most lucrative versions of ransomware viruses. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has about 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the time of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot tell you enough about the care Progent provided us during the most stressful time of (our) businesses existence. We had little choice but to pay the criminal gangs if not for the confidence the Progent experts afforded us. That you could get our messaging and key servers back sooner than seven days was amazing. Every single consultant I worked with or communicated with at Progent was totally committed on getting us restored and was working all day and night to bail us out."

Progent worked with the customer to quickly identify and assign priority to the critical services that had to be restored to make it possible to continue departmental operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to ransomware penetration mitigation industry best practices by stopping the spread and performing virus removal steps. Progent then started the process of bringing back online Microsoft AD, the foundation of enterprise environments built on Microsoft Windows Server technology. Exchange messaging will not work without AD, and the client's financials and MRP software utilized SQL Server, which depends on Active Directory for access to the databases.

In less than 48 hours, Progent was able to re-build Active Directory to its pre-attack state. Progent then performed reinstallations and hard drive recovery on needed applications. All Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Offline Data Files) on staff PCs in order to recover email information. A not too old offline backup of the client's accounting/ERP software made them able to recover these essential programs back available to users. Although a lot of work still had to be done to recover totally from the Ryuk attack, essential systems were recovered quickly:


"For the most part, the production manufacturing operation survived unscathed and we did not miss any customer sales."

During the next month important milestones in the recovery process were accomplished through tight collaboration between Progent consultants and the customer:

  • Self-hosted web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100 percent recovered.
  • A new Palo Alto 850 firewall was brought on-line.
  • 90% of the user PCs were back into operation.

"Much of what went on those first few days is mostly a blur for me, but our team will not soon forget the urgency each and every one of you put in to give us our company back. I have been working with Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A possible business-ending disaster was avoided due to top-tier experts, a wide spectrum of IT skills, and tight collaboration. Although in retrospect the ransomware incident detailed here should have been shut down with advanced cyber security solutions and security best practices, staff education, and appropriate security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware attack, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, cleanup, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), thank you for letting me get some sleep after we made it through the initial fire. All of you did an incredible effort, and if any of your guys is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Minneapolis a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include modern artificial intelligence technology to detect new strains of ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and offers a single platform to address the complete threat progression including filtering, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering via cutting-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent attention. Progent's consultants can also assist you to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup technology companies to create ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and track your backup processes and allow transparent backup and rapid recovery of critical files/folders, applications, system images, plus VMs. ProSight DPS helps you recover from data loss resulting from hardware failures, natural disasters, fire, cyber attacks such as ransomware, user error, malicious insiders, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of top data security companies to deliver centralized management and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance adds a deeper level of analysis for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also assist Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, reconfigure and troubleshoot their networking hardware like routers, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that network diagrams are kept updated, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are discovered. By automating tedious management and troubleshooting processes, WAN Watch can knock hours off common tasks like making network diagrams, expanding your network, finding appliances that require important software patches, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted automatically to your specified IT personnel and your Progent consultant so that any looming issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be moved immediately to an alternate hosting solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as half of time spent looking for vital information about your IT network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you require when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior-based analysis technology to defend endpoints as well as servers and VMs against new malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based AV products. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to manage the entire malware attack progression including blocking, detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Support Desk managed services enable your information technology group to outsource Support Desk services to Progent or divide responsibilities for support services seamlessly between your in-house support staff and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth supplement to your core support group. User interaction with the Service Desk, provision of support, problem escalation, ticket generation and updates, performance metrics, and management of the service database are consistent regardless of whether incidents are resolved by your in-house support resources, by Progent, or both. Learn more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic information system. Besides optimizing the protection and functionality of your IT network, Progent's patch management services free up time for your in-house IT staff to concentrate on more strategic initiatives and tasks that derive the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured online account and enter your password you are asked to confirm your identity via a unit that only you possess and that is accessed using a different network channel. A wide range of out-of-band devices can be utilized for this added means of ID validation such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may register several verification devices. To find out more about Duo two-factor identity authentication services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting utilities created to work with the leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Minneapolis 24x7 CryptoLocker Repair Support Services, call Progent at 800-462-8800 or go to Contact Progent.