Crypto-Ransomware : Your Feared Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyberplague that poses an enterprise-level danger for businesses vulnerable to an assault. Multiple generations of ransomware such as Reveton, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus daily unnamed malware, not only encrypt online data files but also infiltrate many available system backup. Files synched to the cloud can also be encrypted. In a poorly designed data protection solution, this can make any restoration useless and effectively knocks the datacenter back to zero.

Recovering applications and data following a ransomware event becomes a sprint against time as the targeted business struggles to contain, clear the virus, and resume mission-critical activity. Because ransomware requires time to spread, attacks are frequently sprung on weekends and holidays, when attacks are likely to take more time to identify. This compounds the difficulty of rapidly assembling and coordinating a capable response team.

Progent makes available a range of services for securing businesses from ransomware penetrations. Among these are team member education to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to identify and extinguish zero-day threats rapidly. Progent in addition can provide the assistance of experienced crypto-ransomware recovery professionals with the skills and commitment to re-deploy a breached system as urgently as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that distant criminals will respond with the needed codes to unencrypt all your information. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The fallback is to setup from scratch the key components of your IT environment. Without the availability of essential system backups, this requires a wide complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the task is over.

For decades, Progent has made available certified expert Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience affords Progent the skills to rapidly determine necessary systems and consolidate the surviving components of your computer network environment after a crypto-ransomware attack and assemble them into a functioning system.

Progent's ransomware team has top notch project management applications to coordinate the complex restoration process. Progent appreciates the urgency of working swiftly and together with a client's management and Information Technology resources to prioritize tasks and to put critical systems back on line as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Response
A client sought out Progent after their network system was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state sponsored cybercriminals, suspected of adopting techniques exposed from the United States NSA organization. Ryuk targets specific companies with little room for disruption and is among the most lucrative examples of crypto-ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company based in the Chicago metro area and has around 500 employees. The Ryuk penetration had frozen all business operations and manufacturing capabilities. The majority of the client's backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200,000) and wishfully thinking for the best, but in the end made the decision to use Progent.


"I cannot tell you enough about the help Progent gave us throughout the most stressful time of (our) company's existence. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent experts gave us. That you could get our e-mail and production servers back online in less than seven days was earth shattering. Each staff member I talked with or texted at Progent was amazingly focused on getting us restored and was working day and night to bail us out."

Progent worked with the client to rapidly get our arms around and prioritize the essential applications that needed to be addressed to make it possible to resume company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event mitigation industry best practices by halting the spread and clearing infected systems. Progent then began the process of restoring Microsoft AD, the heart of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not work without Windows AD, and the customer's financials and MRP applications used Microsoft SQL, which requires Windows AD for access to the data.

Within 48 hours, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery of key servers. All Microsoft Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Microsoft Outlook Off-Line Data Files) on user desktop computers in order to recover mail messages. A recent off-line backup of the client's accounting software made it possible to return these required services back servicing users. Although a lot of work needed to be completed to recover totally from the Ryuk virus, the most important systems were restored rapidly:


"For the most part, the assembly line operation survived unscathed and we made all customer sales."

Over the next couple of weeks key milestones in the restoration project were completed in tight cooperation between Progent consultants and the client:

  • Self-hosted web applications were returned to operation without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control capabilities were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Ninety percent of the user desktops and notebooks were back into operation.

"Much of what transpired that first week is nearly entirely a fog for me, but my team will not soon forget the urgency each of your team accomplished to give us our company back. I have been working together with Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A potential business extinction catastrophe was evaded by hard-working professionals, a wide spectrum of subject matter expertise, and close collaboration. Although in post mortem the ransomware virus incident described here would have been shut down with modern security technology solutions and security best practices, user training, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for allowing me to get some sleep after we got through the most critical parts. Everyone did an amazing effort, and if any of your guys is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Lynnwood a range of online monitoring and security evaluation services designed to assist you to minimize the threat from crypto-ransomware. These services utilize next-generation AI capability to uncover zero-day strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management technology to help keep your IT system running efficiently by tracking the state of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your assigned Progent engineering consultant so all looming problems can be addressed before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Desktops
    ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven solution for monitoring and managing your client-server infrastructure by offering an environment for streamlining common time-consuming jobs. These can include health monitoring, update management, automated repairs, endpoint setup, backup and recovery, anti-virus protection, remote access, standard and custom scripts, asset inventory, endpoint profile reporting, and troubleshooting assistance. When ProSight LAN Watch with NinjaOne RMM spots a serious problem, it transmits an alert to your designated IT management staff and your assigned Progent consultant so that emerging problems can be fixed before they impact your network. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, reconfigure and debug their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are discovered. By automating tedious management processes, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, locating appliances that require critical software patches, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time reporting tools designed to integrate with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software providers to create ProSight Data Protection Services (DPS), a family of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products automate and track your backup processes and allow transparent backup and rapid recovery of vital files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, malicious insiders, or application glitches. Managed backup services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver centralized management and comprehensive protection for all your email traffic. The powerful architecture of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter serves as a first line of defense and keeps the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email traffic that stays inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on iOS, Android, and other personal devices. Using 2FA, when you log into a protected application and enter your password you are requested to verify your identity on a unit that only you possess and that uses a separate network channel. A broad range of devices can be used for this second means of ID validation such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate multiple validation devices. To learn more about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services for access security.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Help Desk services allow your IT staff to outsource Support Desk services to Progent or divide responsibilities for support services seamlessly between your in-house network support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless extension of your in-house support resources. Client interaction with the Help Desk, delivery of support, escalation, trouble ticket creation and tracking, performance metrics, and management of the support database are consistent regardless of whether issues are resolved by your core IT support organization, by Progent, or both. Learn more about Progent's outsourced/shared Call Center services.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis tools to guard endpoints as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to automate the entire threat progression including filtering, infiltration detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect information about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're making improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Learn more about ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of all sizes a flexible and affordable alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT network. In addition to optimizing the protection and reliability of your computer environment, Progent's patch management services free up time for your in-house IT team to focus on line-of-business projects and tasks that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily evade traditional signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the complete threat progression including protection, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with government and industry data security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent's consultants can also assist your company to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.
For Lynnwood 24/7 CryptoLocker Cleanup Experts, contact Progent at 800-462-8800 or go to Contact Progent.