Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that represents an existential threat for organizations poorly prepared for an attack. Versions of ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to inflict harm. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Lockbit or Egregor, along with more unnamed viruses, not only encrypt on-line files but also infiltrate many configured system backups. Information synchronized to the cloud can also be encrypted. In a poorly architected environment, this can make any restoration hopeless and basically knocks the entire system back to square one.

Recovering services and information following a crypto-ransomware intrusion becomes a sprint against the clock as the targeted business struggles to stop lateral movement and eradicate the ransomware and to restore mission-critical activity. Due to the fact that ransomware needs time to move laterally, assaults are often sprung during nights and weekends, when successful penetrations may take more time to identify. This compounds the difficulty of rapidly marshalling and coordinating a knowledgeable mitigation team.

Progent provides a variety of support services for securing businesses from ransomware attacks. Among these are user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with AI technology to automatically detect and disable day-zero cyber threats. Progent in addition offers the services of expert ransomware recovery professionals with the skills and commitment to restore a breached system as soon as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that distant criminals will return the codes to decipher any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the essential parts of your IT environment. Without access to essential data backups, this calls for a broad complement of skills, professional project management, and the capability to work non-stop until the job is finished.

For twenty years, Progent has offered professional IT services for companies in Spokane and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience affords Progent the capability to efficiently ascertain important systems and re-organize the remaining parts of your computer network environment after a ransomware penetration and configure them into a functioning system.

Progent's recovery team utilizes state-of-the-art project management systems to orchestrate the complex restoration process. Progent appreciates the importance of acting swiftly and together with a customerís management and IT staff to assign priority to tasks and to get essential applications back online as soon as humanly possible.

Customer Case Study: A Successful Ransomware Penetration Recovery
A business sought out Progent after their organization was attacked by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored hackers, possibly using technology exposed from Americaís National Security Agency. Ryuk attacks specific companies with little or no ability to sustain disruption and is one of the most lucrative iterations of ransomware viruses. Major organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago and has around 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the start of the intrusion and were destroyed. The client considered paying the ransom (exceeding $200,000) and hoping for good luck, but in the end called Progent.


"I canít thank you enough in regards to the expertise Progent gave us during the most critical time of (our) companyís life. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you were able to get our messaging and key servers back quicker than a week was earth shattering. Every single expert I spoke to or messaged at Progent was totally committed on getting us restored and was working all day and night to bail us out."

Progent worked with the client to rapidly determine and prioritize the critical elements that had to be recovered to make it possible to continue departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent followed Anti-virus event response best practices by stopping lateral movement and performing virus removal steps. Progent then started the work of recovering Windows Active Directory, the core of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not operate without Windows AD, and the businessesí MRP system utilized SQL Server, which depends on Windows AD for access to the databases.

In less than 48 hours, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and hard drive recovery of key servers. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on team desktop computers to recover mail messages. A not too old off-line backup of the customerís accounting software made them able to return these vital programs back available to users. Although major work was left to recover totally from the Ryuk attack, essential systems were returned to operations quickly:


"For the most part, the manufacturing operation showed little impact and we produced all customer orders."

During the following month key milestones in the recovery project were accomplished in tight cooperation between Progent consultants and the client:

  • Internal web applications were restored with no loss of information.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were fully operational.
  • A new Palo Alto Networks 850 firewall was installed.
  • Ninety percent of the user desktops were fully operational.

"A huge amount of what happened during the initial response is nearly entirely a blur for me, but I will not soon forget the urgency all of the team put in to help get our business back. Iíve entrusted Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This event was a testament to your capabilities."

Conclusion
A possible business catastrophe was evaded by hard-working professionals, a broad spectrum of technical expertise, and tight collaboration. Although in post mortem the crypto-ransomware virus incident described here could have been shut down with modern security systems and NIST Cybersecurity Framework best practices, user training, and appropriate security procedures for data backup and proper patching controls, the reality remains that state-sponsored hackers from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), Iím grateful for letting me get some sleep after we made it over the initial fire. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Spokane a range of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation AI capability to detect new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to address the entire malware attack lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new attacks. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering through cutting-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with legal and industry information security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent's consultants can also help you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent offer small and mid-sized organizations a low cost end-to-end service for secure backup/disaster recovery. For a fixed monthly price, ProSight Data Protection Services automates and monitors your backup processes and allows fast restoration of critical files, apps and VMs that have become lost or damaged as a result of hardware failures, software glitches, natural disasters, human mistakes, or malware attacks such as ransomware. ProSight DPS can help you back up, retrieve and restore files, folders, applications, system images, plus Microsoft Hyper-V and VMware virtual machine images. Important data can be backed up on the cloud, to an on-promises device, or to both. Progent's backup and recovery specialists can provide world-class support to set up ProSight DPS to to comply with government and industry regulatory requirements such as HIPAA, FINRA, and PCI and, whenever necessary, can assist you to restore your critical data. Learn more about ProSight DPS Managed Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to deliver centralized management and world-class protection for your email traffic. The hybrid architecture of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of inspection for inbound email. For outbound email, the local security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to diagram, track, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices on your network, tracks performance, and sends notices when issues are discovered. By automating complex network management processes, WAN Watch can knock hours off common tasks such as network mapping, reconfiguring your network, finding devices that need important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network running efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT management staff and your assigned Progent consultant so any potential problems can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect information about your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youíre making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.
For Spokane 24x7 CryptoLocker Cleanup Experts, contact Progent at 800-993-9400 or go to Contact Progent.