Crypto-Ransomware : Your Worst IT Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyberplague that represents an existential threat for businesses of all sizes unprepared for an attack. Different versions of ransomware such as CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still inflict havoc. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, plus daily as yet unnamed malware, not only do encryption of on-line information but also infiltrate all accessible system backup. Data replicated to the cloud can also be encrypted. In a poorly architected data protection solution, it can render automatic restore operations hopeless and basically sets the entire system back to zero.

Retrieving services and data following a crypto-ransomware outage becomes a race against time as the victim fights to contain and cleanup the virus and to resume enterprise-critical operations. Due to the fact that crypto-ransomware takes time to replicate, penetrations are often launched during weekends and nights, when penetrations are likely to take more time to detect. This multiplies the difficulty of rapidly mobilizing and organizing an experienced response team.

Progent provides a range of solutions for protecting businesses from ransomware events. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security appliances with machine learning capabilities from SentinelOne to identify and extinguish new cyber attacks rapidly. Progent also provides the services of veteran ransomware recovery engineers with the track record and commitment to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not provide any assurance that distant criminals will provide the codes to unencrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Absent the availability of essential system backups, this calls for a broad complement of skill sets, well-coordinated project management, and the capability to work 24x7 until the task is completed.

For decades, Progent has made available certified expert Information Technology services for companies in Napa and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have attained advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial systems and ERP applications. This breadth of expertise affords Progent the skills to rapidly ascertain critical systems and organize the surviving components of your Information Technology environment after a ransomware penetration and rebuild them into an operational system.

Progent's recovery group deploys state-of-the-art project management systems to orchestrate the complicated recovery process. Progent knows the importance of acting rapidly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to put key systems back online as soon as humanly possible.

Client Story: A Successful Ransomware Attack Recovery
A customer hired Progent after their network system was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, suspected of using approaches leaked from the U.S. National Security Agency. Ryuk goes after specific companies with little or no room for operational disruption and is one of the most profitable incarnations of ransomware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing processes. The majority of the client's data backups had been online at the time of the attack and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot speak enough about the expertise Progent gave us during the most critical period of (our) company's survival. We had little choice but to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent experts gave us. That you were able to get our messaging and critical applications back into operation in less than five days was incredible. Each expert I spoke to or messaged at Progent was totally committed on getting my company operational and was working day and night to bail us out."

Progent worked together with the client to rapidly determine and prioritize the most important services that needed to be recovered in order to restart departmental operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by isolating and clearing up compromised systems. Progent then started the process of rebuilding Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Windows AD, and the customer's MRP system utilized Microsoft SQL Server, which needs Active Directory services for security authorization to the database.

Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then assisted with reinstallations and storage recovery on essential systems. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Offline Data Files) on various workstations and laptops to recover mail messages. A not too old offline backup of the client's accounting systems made it possible to restore these vital applications back online. Although significant work needed to be completed to recover fully from the Ryuk damage, critical systems were returned to operations quickly:


"For the most part, the production manufacturing operation never missed a beat and we made all customer deliverables."

During the following couple of weeks important milestones in the recovery process were made in tight cooperation between Progent team members and the customer:

  • Internal web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100% functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the user PCs were back into operation.

"A huge amount of what transpired in the initial days is mostly a haze for me, but our team will not soon forget the dedication each of the team accomplished to give us our company back. I've been working with Progent for the past ten years, maybe more, and every time Progent has shined and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A likely business disaster was averted by results-oriented professionals, a wide range of knowledge, and tight collaboration. Although in retrospect the crypto-ransomware virus attack described here should have been identified and disabled with advanced cyber security technology solutions and best practices, staff training, and well thought out incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in crypto-ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for making it so I could get rested after we made it past the first week. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Napa a variety of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services utilize modern machine learning capability to detect zero-day strains of ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to automate the complete malware attack progression including filtering, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you prove compliance with government and industry data security regulations. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also help your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable transparent backup and rapid recovery of vital files/folders, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, malicious insiders, or software bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to deliver centralized management and world-class protection for all your inbound and outbound email. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are kept updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off common chores like network mapping, reconfiguring your network, finding devices that require important software patches, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT staff and your Progent consultant so all potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect information about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior analysis technology to guard endpoints and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based AV tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to address the entire malware attack progression including blocking, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Call Center managed services enable your information technology staff to outsource Help Desk services to Progent or divide activity for Service Desk support seamlessly between your in-house support team and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent supplement to your core support staff. User interaction with the Service Desk, provision of support services, problem escalation, ticket creation and tracking, performance metrics, and management of the service database are consistent regardless of whether issues are taken care of by your in-house IT support organization, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a flexible and affordable alternative for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT system. Besides maximizing the security and reliability of your IT network, Progent's patch management services allow your IT team to concentrate on line-of-business initiatives and tasks that deliver maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected application and enter your password you are requested to verify your identity via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized as this second means of authentication such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You can register several verification devices. To find out more about ProSight Duo identity validation services, see Duo MFA two-factor authentication services for access security.
For 24x7x365 Napa Ransomware Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.