Crypto-Ransomware : Your Crippling IT Disaster
Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that poses an enterprise-level threat for organizations vulnerable to an assault. Versions of crypto-ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to inflict harm. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as additional unnamed viruses, not only do encryption of on-line data but also infect any configured system backup. Data synched to the cloud can also be ransomed. In a vulnerable environment, this can make automated restore operations impossible and basically sets the network back to zero.

Getting back on-line services and information following a ransomware attack becomes a sprint against time as the targeted business struggles to stop the spread and clear the ransomware and to restore mission-critical operations. Due to the fact that ransomware takes time to move laterally, assaults are often sprung on weekends and holidays, when attacks tend to take longer to discover. This compounds the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.

Progent provides an assortment of services for protecting enterprises from ransomware attacks. These include staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with AI capabilities from SentinelOne to discover and suppress zero-day threats intelligently. Progent in addition offers the services of veteran crypto-ransomware recovery consultants with the track record and commitment to restore a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will return the keys to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of crypto-ransomware victims never recovered their information after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the key elements of your Information Technology environment. Without the availability of complete system backups, this calls for a broad complement of skill sets, professional project management, and the ability to work continuously until the job is over.

For two decades, Progent has made available expert Information Technology services for companies in Montreal and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of experience affords Progent the capability to quickly determine critical systems and re-organize the remaining parts of your network system following a ransomware event and configure them into an operational network.

Progent's recovery group uses powerful project management tools to orchestrate the complicated recovery process. Progent appreciates the urgency of working swiftly and in unison with a customer's management and Information Technology staff to prioritize tasks and to get key systems back on-line as fast as humanly possible.

Case Study: A Successful Ransomware Virus Restoration
A client escalated to Progent after their company was attacked by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state sponsored hackers, suspected of using techniques leaked from the U.S. NSA organization. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most lucrative incarnations of ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business headquartered in Chicago and has about 500 workers. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200,000) and wishfully thinking for good luck, but in the end reached out to Progent.


"I cannot speak enough in regards to the support Progent provided us during the most fearful time of (our) businesses existence. We had little choice but to pay the criminal gangs if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and key applications back into operation sooner than one week was earth shattering. Every single staff member I interacted with or texted at Progent was urgently focused on getting us restored and was working 24 by 7 to bail us out."

Progent worked with the customer to quickly assess and prioritize the mission critical areas that had to be addressed in order to continue company functions:

  • Windows Active Directory
  • E-Mail
  • Accounting/MRP
To start, Progent adhered to Anti-virus event mitigation best practices by stopping the spread and cleaning up infected systems. Progent then began the process of rebuilding Windows Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not function without Active Directory, and the customer's accounting and MRP system used Microsoft SQL Server, which needs Active Directory for security authorization to the information.

In less than two days, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then performed reinstallations and hard drive recovery of key systems. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Offline Data Files) on various PCs in order to recover mail data. A not too old off-line backup of the businesses accounting software made it possible to return these essential applications back online for users. Although significant work remained to recover fully from the Ryuk event, core systems were restored rapidly:


"For the most part, the production operation showed little impact and we did not miss any customer orders."

Over the next few weeks key milestones in the recovery project were accomplished in tight cooperation between Progent consultants and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"So much of what happened that first week is mostly a haze for me, but our team will not soon forget the care each and every one of you accomplished to help get our business back. I have utilized Progent for the past ten years, maybe more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a stunning achievement."

Conclusion
A probable business extinction catastrophe was evaded by top-tier professionals, a broad range of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here would have been disabled with modern cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user education, and well thought out incident response procedures for information protection and keeping systems up to date with security patches, the reality remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware virus, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), I'm grateful for making it so I could get rested after we got through the most critical parts. All of you did an fabulous job, and if anyone is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Montreal a variety of online monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to automate the entire malware attack lifecycle including protection, detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also assist your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and allow transparent backup and rapid restoration of important files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, human error, malicious insiders, or software glitches. Managed services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security vendors to deliver web-based management and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a further level of inspection for incoming email. For outgoing email, the local gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are discovered. By automating complex management activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your specified IT management staff and your Progent engineering consultant so all potential issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate up to half of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning technology to guard endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily escape traditional signature-matching AV products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to address the complete malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Support Center services allow your information technology staff to outsource Call Center services to Progent or split activity for Help Desk services transparently between your in-house network support group and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless supplement to your corporate network support group. End user access to the Help Desk, provision of support, escalation, trouble ticket creation and updates, performance metrics, and management of the service database are consistent regardless of whether incidents are resolved by your corporate network support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of any size a flexible and cost-effective alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the protection and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a secured application and enter your password you are requested to verify who you are on a device that only you possess and that is accessed using a different network channel. A broad selection of devices can be utilized as this second form of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You may designate several validation devices. For more information about ProSight Duo two-factor identity validation services, visit Duo MFA two-factor authentication (2FA) services.
For 24x7x365 Montreal Crypto Cleanup Support Services, call Progent at 800-462-8800 or go to Contact Progent.