Aurora 24/7 Immediate Crypto-Ransomware
Computer Virus Assessment and Recovery Consulting

Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware has become an escalating cyberplague that poses an enterprise-level danger for organizations unprepared for an assault. Different iterations of crypto-ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. Newer variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with additional unnamed viruses, not only encrypt on-line data but also infect most configured system backup. Information replicated to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, it can render any restoration useless and effectively sets the entire system back to square one.

Getting back services and information after a crypto-ransomware intrusion becomes a race against the clock as the targeted organization tries its best to stop the spread, eradicate the crypto-ransomware, and restore mission-critical operations. Due to the fact that crypto-ransomware requires time to replicate, assaults are frequently sprung during weekends and nights, when attacks are likely to take more time to detect. This compounds the difficulty of promptly marshalling and orchestrating a qualified response team.

Progent provides a variety of services for protecting enterprises from ransomware attacks. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security gateways with machine learning capabilities from SentinelOne to identify and suppress new cyber attacks automatically. Progent in addition can provide the services of seasoned ransomware recovery professionals with the track record and perseverance to rebuild a compromised environment as rapidly as possible.

Progent's Ransomware Recovery Support Services
Soon after a ransomware event, even paying the ransom in cryptocurrency does not ensure that merciless criminals will provide the codes to decipher any of your data. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom can be in the millions of dollars. The alternative is to setup from scratch the key parts of your IT environment. Without access to full data backups, this calls for a broad complement of IT skills, top notch team management, and the ability to work 24x7 until the task is completed.

For two decades, Progent has offered professional Information Technology services for companies across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise affords Progent the ability to knowledgably determine necessary systems and integrate the remaining pieces of your IT environment following a crypto-ransomware attack and assemble them into a functioning network.

Progent's ransomware group uses powerful project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of acting rapidly and in unison with a client's management and IT team members to assign priority to tasks and to put the most important applications back online as soon as humanly possible.

Customer Story: A Successful Ransomware Incident Recovery
A client escalated to Progent after their network was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, possibly using algorithms exposed from the U.S. National Security Agency. Ryuk attacks specific businesses with little or no room for operational disruption and is among the most profitable iterations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago and has about 500 staff members. The Ryuk intrusion had frozen all company operations and manufacturing capabilities. The majority of the client's backups had been on-line at the start of the attack and were damaged. The client was taking steps for paying the ransom (exceeding $200K) and wishfully thinking for good luck, but in the end reached out to Progent.

Progent worked together with the customer to quickly determine and prioritize the most important services that needed to be restored to make it possible to resume business functions:

• Windows Active Directory
• Electronic Messaging
• Financials/MRP

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then initiated rebuilding and storage recovery on essential systems. All Exchange schema and attributes were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST data files (Outlook Offline Folder Files) on various desktop computers to recover mail data. A not too old offline backup of the client's manufacturing software made them able to recover these essential programs back online. Although a large amount of work remained to recover fully from the Ryuk virus, the most important services were recovered quickly:

Over the next month important milestones in the recovery project were made through close collaboration between Progent engineers and the customer:

• Self-hosted web sites were returned to operation with no loss of data.
• The MailStore Server with over 4 million archived emails was spun up and accessible to users.
• CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% operational.
• A new Palo Alto 850 firewall was brought online.
• Most of the desktop computers were being used by staff.

Conclusion
A likely business-killing disaster was evaded with results-oriented professionals, a wide array of IT skills, and close collaboration. Although in hindsight the ransomware attack described here would have been stopped with up-to-date security systems and recognized best practices, user education, and well thought out security procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, remediation, and file recovery.

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Aurora a portfolio of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day variants of crypto-ransomware that are able to evade legacy signature-based security products.

• ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
  ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network running at peak levels by tracking the health of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management staff and your assigned Progent engineering consultant so that any potential problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

• ProSight LAN Watch with NinjaOne RMM: Unified RMM for Networks, Servers, and Workstations
  ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-driven solution for monitoring and managing your client-server infrastructure by offering an environment for streamlining common tedious tasks. These include health monitoring, update management, automated remediation, endpoint deployment, backup and recovery, A/V defense, secure remote access, built-in and custom scripts, asset inventory, endpoint status reports, and debugging support. If ProSight LAN Watch with NinjaOne RMM uncovers a serious incident, it sends an alert to your designated IT management staff and your Progent technical consultant so emerging issues can be fixed before they impact productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.

• ProSight WAN Watch: Network Infrastructure Management
  ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, reconfigure and debug their networking appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always updated, copies and displays the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when problems are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, locating devices that need important updates, or identifying the cause of performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

• ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
  ProSight Reporting is an expanding suite of real-time management reporting tools designed to integrate with the industry's top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.

• ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
  Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and allow transparent backup and rapid recovery of critical files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned employees, or application bugs. Managed backup services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed services are most appropriate for your network.

• ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
  ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to provide web-based management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

• ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
  Progent's Duo authentication services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Android, and other out-of-band devices. With Duo 2FA, when you log into a protected online account and enter your password you are asked to confirm your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used for this second means of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate several validation devices. To learn more about Duo identity validation services, go to Cisco Duo MFA two-factor authentication services.

• Progent's Outsourced/Shared Call Center: Help Desk Managed Services
  Progent's Call Center services enable your IT group to offload Help Desk services to Progent or divide responsibilities for support services transparently between your in-house support staff and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your core support group. User interaction with the Help Desk, provision of support services, problem escalation, ticket generation and updates, performance measurement, and management of the support database are cohesive regardless of whether issues are taken care of by your corporate network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Service Desk services.

• Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
  Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard endpoint devices as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to automate the complete malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

• ProSight IT Asset Management: Network Documentation Management
  ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about ProSight IT Asset Management service.

• Progent's Patch Management: Patch Management Services
  Progent's support services for patch management provide businesses of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your ever-evolving IT system. In addition to optimizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your IT staff to concentrate on line-of-business initiatives and activities that derive the highest business value from your network. Find out more about Progent's software/firmware update management support services.

• ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
  With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

• ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
  ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to address the entire threat progression including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

• ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
  ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a unified control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent's consultants can also help you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.