Ransomware : Your Worst IT Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that poses an enterprise-level threat for businesses poorly prepared for an assault. Versions of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as frequent unnamed viruses, not only do encryption of online information but also infiltrate all configured system restores and backups. Data synched to off-site disaster recovery sites can also be corrupted. In a vulnerable data protection solution, this can make automated recovery useless and basically knocks the network back to zero.

Getting back applications and information following a ransomware outage becomes a sprint against time as the targeted business struggles to contain and clear the crypto-ransomware and to resume enterprise-critical activity. Because ransomware takes time to spread, attacks are usually launched on weekends, when successful attacks typically take more time to uncover. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable response team.

Progent offers a range of support services for protecting enterprises from crypto-ransomware attacks. Among these are user training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security gateways with machine learning capabilities from SentinelOne to discover and suppress new threats automatically. Progent also provides the services of veteran ransomware recovery professionals with the track record and perseverance to rebuild a compromised network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware event, paying the ransom in cryptocurrency does not ensure that distant criminals will return the needed codes to decrypt any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the critical components of your Information Technology environment. Absent access to essential information backups, this calls for a wide range of IT skills, top notch team management, and the willingness to work non-stop until the job is completed.

For twenty years, Progent has offered certified expert Information Technology services for businesses in Addison and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience provides Progent the capability to efficiently understand critical systems and re-organize the remaining components of your computer network environment after a crypto-ransomware penetration and assemble them into an operational network.

Progent's recovery team uses best of breed project management applications to coordinate the sophisticated restoration process. Progent appreciates the importance of working quickly and in concert with a client's management and Information Technology staff to prioritize tasks and to get the most important services back on-line as soon as possible.

Business Case Study: A Successful Ransomware Incident Recovery
A client engaged Progent after their organization was attacked by the Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, possibly adopting strategies leaked from the United States NSA organization. Ryuk attacks specific companies with little or no tolerance for disruption and is among the most profitable instances of ransomware viruses. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in Chicago and has around 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I can�t tell you enough about the care Progent provided us throughout the most critical period of (our) businesses existence. We may have had to pay the cybercriminals except for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and essential servers back into operation quicker than five days was beyond my wildest dreams. Each expert I worked with or texted at Progent was urgently focused on getting us back on-line and was working day and night to bail us out."

Progent worked together with the client to rapidly get our arms around and prioritize the critical systems that had to be recovered to make it possible to continue business functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent followed AV/Malware Processes event mitigation industry best practices by halting the spread and cleaning up infected systems. Progent then began the work of rebuilding Windows Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange email will not function without Active Directory, and the customer�s accounting and MRP system utilized Microsoft SQL Server, which needs Windows AD for access to the information.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then accomplished rebuilding and storage recovery on the most important applications. All Exchange schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Offline Folder Files) on various PCs in order to recover email messages. A not too old offline backup of the client's accounting systems made it possible to return these essential programs back servicing users. Although a large amount of work still had to be done to recover fully from the Ryuk damage, essential services were recovered rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer deliverables."

Over the next couple of weeks critical milestones in the recovery project were made in close cooperation between Progent consultants and the customer:

  • Internal web sites were restored without losing any information.
  • The MailStore Exchange Server exceeding 4 million historical emails was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% restored.
  • A new Palo Alto 850 security appliance was installed.
  • Most of the user desktops were operational.

"A huge amount of what went on those first few days is mostly a haze for me, but we will not soon forget the care each and every one of your team put in to give us our business back. I�ve entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This time was a stunning achievement."

Conclusion
A possible business-ending catastrophe was evaded with top-tier experts, a broad array of subject matter expertise, and close teamwork. Although upon completion of forensics the crypto-ransomware penetration described here could have been blocked with current security solutions and NIST Cybersecurity Framework best practices, team training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), I�m grateful for letting me get rested after we got over the initial fire. All of you did an impressive effort, and if any of your team is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Addison a range of online monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services include next-generation machine learning technology to uncover zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to address the complete threat progression including blocking, infiltration detection, containment, cleanup, and forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, device control, and web filtering via leading-edge tools packaged within one agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your company's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup/restore technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup processes and enable non-disruptive backup and fast recovery of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business protect against data loss caused by hardware breakdown, natural calamities, fire, malware such as ransomware, human error, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security vendors to provide centralized control and comprehensive protection for your email traffic. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from reaching your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map out, track, enhance and troubleshoot their networking appliances such as routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are always current, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating complex management activities, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, finding appliances that require important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system operating at peak levels by checking the state of critical computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT management staff and your assigned Progent engineering consultant so any looming issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time wasted searching for vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and sharing all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning technology to defend endpoint devices and servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including filtering, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Support Center managed services permit your IT staff to outsource Call Center services to Progent or divide activity for Help Desk services transparently between your internal network support staff and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a smooth extension of your in-house support staff. End user access to the Help Desk, provision of technical assistance, issue escalation, ticket creation and updates, performance measurement, and management of the support database are consistent whether issues are taken care of by your corporate network support group, by Progent, or both. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a flexible and cost-effective solution for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving information system. In addition to optimizing the security and reliability of your IT network, Progent's patch management services free up time for your IT team to concentrate on more strategic initiatives and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. Using 2FA, when you sign into a secured online account and give your password you are asked to verify who you are via a device that only you have and that uses a different ("out-of-band") network channel. A broad range of devices can be used for this added form of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate several verification devices. For details about ProSight Duo two-factor identity validation services, refer to Duo MFA two-factor authentication services.
For 24/7 Addison Crypto Recovery Support Services, call Progent at 800-462-8800 or go to Contact Progent.