Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that poses an existential threat for businesses vulnerable to an assault. Different versions of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily as yet unnamed newcomers, not only encrypt online files but also infect many configured system restores and backups. Files synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed system, this can render automated restoration useless and basically sets the network back to square one.

Retrieving services and data following a crypto-ransomware event becomes a sprint against the clock as the targeted business struggles to contain the damage and eradicate the crypto-ransomware and to resume enterprise-critical activity. Due to the fact that ransomware needs time to move laterally, penetrations are often sprung on weekends and holidays, when attacks tend to take more time to recognize. This multiplies the difficulty of rapidly assembling and orchestrating a qualified mitigation team.

Progent provides a range of support services for securing enterprises from ransomware events. These include user education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with AI technology from SentinelOne to discover and suppress new threats automatically. Progent also offers the services of veteran ransomware recovery engineers with the talent and commitment to re-deploy a breached environment as soon as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a ransomware attack, sending the ransom demands in cryptocurrency does not provide any assurance that distant criminals will return the needed keys to decipher any of your data. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be around $13,000. The alternative is to re-install the essential parts of your IT environment. Without the availability of essential data backups, this calls for a broad complement of skill sets, well-coordinated project management, and the ability to work non-stop until the recovery project is done.

For twenty years, Progent has made available expert Information Technology services for companies in Indianapolis and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned top industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise provides Progent the ability to knowledgably ascertain critical systems and re-organize the remaining components of your computer network system following a ransomware penetration and assemble them into an operational system.

Progent's security team utilizes powerful project management tools to orchestrate the complex restoration process. Progent understands the importance of acting rapidly and together with a customer's management and Information Technology resources to prioritize tasks and to put critical systems back online as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Penetration Response
A small business contacted Progent after their network system was taken over by Ryuk ransomware virus. Ryuk is believed to have been created by North Korean government sponsored hackers, possibly using approaches leaked from the United States National Security Agency. Ryuk goes after specific businesses with limited ability to sustain disruption and is one of the most lucrative instances of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in the Chicago metro area and has around 500 employees. The Ryuk intrusion had frozen all company operations and manufacturing processes. Most of the client's backups had been on-line at the beginning of the attack and were damaged. The client considered paying the ransom (more than $200,000) and praying for the best, but in the end brought in Progent.


"I cannot say enough about the help Progent provided us during the most fearful period of (our) company's life. We had little choice but to pay the hackers behind this attack except for the confidence the Progent group provided us. That you could get our e-mail system and key applications back faster than 1 week was earth shattering. Each person I spoke to or e-mailed at Progent was hell bent on getting my company operational and was working 24/7 on our behalf."

Progent worked together with the customer to rapidly get our arms around and assign priority to the critical areas that needed to be restored to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware penetration response best practices by stopping lateral movement and disinfecting systems. Progent then initiated the process of rebuilding Microsoft Active Directory, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the client's accounting and MRP system leveraged Microsoft SQL, which needs Windows AD for access to the database.

In less than 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then helped perform reinstallations and storage recovery on critical servers. All Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST files (Microsoft Outlook Offline Folder Files) on user desktop computers and laptops to recover mail information. A recent offline backup of the businesses accounting systems made them able to return these vital services back online. Although a lot of work still had to be done to recover totally from the Ryuk event, essential services were restored rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we delivered all customer shipments."

During the next month critical milestones in the recovery process were accomplished through close cooperation between Progent consultants and the customer:

  • Internal web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent recovered.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the desktop computers were operational.

"A huge amount of what occurred during the initial response is mostly a fog for me, but my team will not forget the countless hours each and every one of you accomplished to give us our company back. I have entrusted Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This time was the most impressive ever."

Conclusion
A likely company-ending catastrophe was dodged by dedicated professionals, a wide array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware attack described here should have been identified and blocked with modern security technology and recognized best practices, user training, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were involved), thanks very much for allowing me to get some sleep after we made it over the initial fire. All of you did an incredible job, and if anyone is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Indianapolis a portfolio of remote monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services incorporate modern AI capability to uncover zero-day variants of ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the entire malware attack lifecycle including filtering, identification, containment, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your company's unique needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate attention. Progent's consultants can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services, a portfolio of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and allow non-disruptive backup and fast recovery of critical files, applications, images, plus virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural calamities, fire, malware such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading information security companies to provide centralized management and comprehensive security for all your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with a local gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a deeper layer of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, enhance and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when problems are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, finding appliances that require critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system operating efficiently by checking the state of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your designated IT management personnel and your Progent consultant so that any potential problems can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard information about your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or domains. By updating and organizing your network documentation, you can eliminate up to 50% of time thrown away looking for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning tools to defend endpoints and servers and VMs against new malware attacks like ransomware and email phishing, which routinely get by traditional signature-based AV products. Progent ASM services protect local and cloud resources and offers a single platform to manage the entire threat progression including blocking, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Help Desk services permit your information technology team to outsource Call Center services to Progent or divide activity for Service Desk support seamlessly between your in-house network support group and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless extension of your internal network support resources. User interaction with the Service Desk, provision of support services, escalation, ticket generation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether incidents are resolved by your core IT support staff, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. In addition to optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services allow your IT team to focus on line-of-business initiatives and activities that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a protected application and give your password you are requested to confirm your identity on a unit that only you possess and that is accessed using a separate network channel. A wide selection of devices can be utilized as this added means of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For details about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time reporting tools designed to work with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Indianapolis 24/7 CryptoLocker Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.