Crypto-Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that represents an existential danger for businesses poorly prepared for an attack. Versions of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus additional as yet unnamed newcomers, not only do encryption of online data files but also infiltrate all available system backup. Data replicated to the cloud can also be encrypted. In a poorly designed data protection solution, this can render automated restoration hopeless and basically sets the network back to zero.

Getting back online services and information after a crypto-ransomware intrusion becomes a race against the clock as the targeted business struggles to stop lateral movement and clear the crypto-ransomware and to resume enterprise-critical operations. Because ransomware takes time to replicate, penetrations are frequently launched during nights and weekends, when penetrations tend to take more time to identify. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.

Progent has an assortment of help services for protecting organizations from ransomware events. Among these are user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security gateways with AI capabilities from SentinelOne to detect and extinguish zero-day threats automatically. Progent also can provide the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to reconstruct a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the codes to decipher all your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be approximately $13,000. The alternative is to piece back together the vital components of your IT environment. Absent access to essential system backups, this requires a broad complement of skill sets, top notch team management, and the ability to work 24x7 until the task is over.

For twenty years, Progent has made available professional Information Technology services for companies in Milwaukee and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of expertise affords Progent the capability to quickly determine important systems and organize the surviving parts of your IT environment after a ransomware penetration and rebuild them into an operational network.

Progent's security team of experts has top notch project management applications to orchestrate the complicated recovery process. Progent knows the urgency of acting swiftly and together with a customer�s management and Information Technology team members to assign priority to tasks and to get key services back on line as fast as possible.

Client Story: A Successful Crypto-Ransomware Intrusion Response
A client sought out Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state sponsored cybercriminals, suspected of adopting technology leaked from America�s National Security Agency. Ryuk attacks specific companies with limited room for operational disruption and is one of the most profitable incarnations of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in Chicago with around 500 workers. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been on-line at the time of the attack and were encrypted. The client considered paying the ransom demand (more than $200K) and hoping for the best, but ultimately brought in Progent.


"I cannot speak enough about the expertise Progent provided us during the most fearful period of (our) businesses existence. We may have had to pay the cyber criminals if not for the confidence the Progent team afforded us. The fact that you could get our messaging and essential servers back online faster than seven days was something I thought impossible. Every single staff member I got help from or messaged at Progent was urgently focused on getting my company operational and was working all day and night on our behalf."

Progent worked with the client to quickly assess and prioritize the most important applications that needed to be recovered to make it possible to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent adhered to ransomware penetration response industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the work of recovering Windows Active Directory, the core of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not work without AD, and the businesses� accounting and MRP applications used Microsoft SQL Server, which needs Active Directory services for security authorization to the database.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then assisted with setup and storage recovery of mission critical systems. All Exchange schema and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Microsoft Outlook Off-Line Data Files) on team PCs to recover mail messages. A recent off-line backup of the client's accounting systems made them able to restore these vital programs back on-line. Although a lot of work still had to be done to recover totally from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the production line operation showed little impact and we delivered all customer sales."

Throughout the next few weeks important milestones in the restoration project were achieved through close cooperation between Progent consultants and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Server with over four million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Nearly all of the user desktops were back into operation.

"So much of what went on during the initial response is mostly a fog for me, but my management will not soon forget the dedication each and every one of the team accomplished to help get our company back. I�ve been working together with Progent for the past 10 years, maybe more, and each time Progent has shined and delivered. This event was a testament to your capabilities."

Conclusion
A potential business-ending catastrophe was evaded due to hard-working professionals, a broad spectrum of technical expertise, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here should have been identified and stopped with up-to-date cyber security systems and security best practices, user training, and well thought out incident response procedures for data protection and applying software patches, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), thank you for letting me get rested after we made it over the initial fire. Everyone did an impressive job, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Milwaukee a variety of remote monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services include next-generation machine learning technology to detect zero-day variants of ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to automate the entire malware attack progression including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth security for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via leading-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP environment that meets your company's specific needs and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent can also help you to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and enable transparent backup and fast restoration of vital files/folders, apps, images, plus virtual machines. ProSight DPS lets you avoid data loss caused by hardware breakdown, natural calamities, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security vendors to provide centralized management and comprehensive security for your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further layer of analysis for incoming email. For outbound email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to map out, monitor, reconfigure and debug their networking hardware like switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are detected. By automating complex management processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, finding appliances that require important software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT management staff and your Progent engineering consultant so that all potential problems can be addressed before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youre planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to defend endpoint devices and servers and VMs against new malware attacks like ransomware and email phishing, which easily evade traditional signature-matching AV tools. Progent ASM services protect local and cloud-based resources and provides a unified platform to automate the complete threat lifecycle including blocking, identification, mitigation, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Support Desk services enable your information technology staff to offload Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal support staff and Progent's nationwide roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your core IT support group. Client interaction with the Help Desk, provision of support, escalation, trouble ticket generation and updates, performance metrics, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your core network support resources, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide businesses of any size a flexible and affordable solution for assessing, testing, scheduling, implementing, and documenting updates to your ever-evolving information network. Besides maximizing the protection and reliability of your computer network, Progent's patch management services free up time for your in-house IT team to focus on more strategic initiatives and tasks that derive maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are asked to confirm your identity via a unit that only you possess and that is accessed using a separate network channel. A wide range of devices can be used for this second form of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You can designate multiple validation devices. For details about ProSight Duo identity authentication services, visit Duo MFA two-factor authentication services.
For 24/7/365 Milwaukee Ransomware Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.