Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses vulnerable to an attack. Different iterations of ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for many years and still cause harm. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with more as yet unnamed viruses, not only encrypt online critical data but also infiltrate many available system backups. Data replicated to off-site disaster recovery sites can also be corrupted. In a vulnerable system, this can render automatic restoration impossible and effectively sets the datacenter back to square one.

Getting back online services and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted business struggles to stop the spread, remove the ransomware, and restore business-critical activity. Since ransomware takes time to move laterally, penetrations are usually launched on weekends, when successful penetrations may take more time to detect. This multiplies the difficulty of quickly marshalling and coordinating a capable mitigation team.

Progent makes available an assortment of services for protecting enterprises from ransomware penetrations. These include team member training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security appliances with artificial intelligence technology from SentinelOne to detect and extinguish new cyber attacks intelligently. Progent also offers the services of experienced crypto-ransomware recovery professionals with the talent and perseverance to reconstruct a breached network as quickly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware penetration, paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the keys to unencrypt all your information. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The fallback is to re-install the essential components of your IT environment. Absent the availability of complete information backups, this calls for a broad complement of skill sets, professional project management, and the ability to work non-stop until the task is completed.

For twenty years, Progent has provided expert Information Technology services for companies across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise gives Progent the ability to rapidly determine important systems and organize the remaining parts of your computer network system after a crypto-ransomware attack and assemble them into a functioning system.

Progent's security team uses state-of-the-art project management systems to orchestrate the sophisticated recovery process. Progent knows the urgency of working swiftly and in unison with a customer's management and Information Technology team members to prioritize tasks and to get critical applications back online as soon as possible.

Business Case Study: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their organization was crashed by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean state criminal gangs, suspected of using algorithms leaked from the U.S. National Security Agency. Ryuk targets specific companies with little or no tolerance for disruption and is one of the most profitable iterations of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago with about 500 employees. The Ryuk attack had disabled all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the attack and were destroyed. The client was actively seeking loans for paying the ransom (more than $200K) and hoping for the best, but ultimately engaged Progent.


"I can't tell you enough in regards to the care Progent gave us during the most fearful period of (our) businesses existence. We had little choice but to pay the criminal gangs if it wasn't for the confidence the Progent team gave us. That you were able to get our e-mail system and essential servers back faster than five days was earth shattering. Every single expert I talked with or texted at Progent was urgently focused on getting our company operational and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to quickly determine and assign priority to the mission critical systems that needed to be addressed in order to continue business functions:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes penetration response best practices by halting lateral movement and performing virus removal steps. Progent then started the steps of recovering Windows Active Directory, the heart of enterprise networks built upon Microsoft technology. Exchange messaging will not function without AD, and the client's MRP system utilized Microsoft SQL Server, which requires Windows AD for security authorization to the information.

In less than 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then initiated setup and hard drive recovery of critical servers. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Off-Line Data Files) on team desktop computers and laptops in order to recover mail data. A not too old off-line backup of the customer's financials/ERP systems made them able to return these essential services back online. Although a large amount of work remained to recover completely from the Ryuk event, the most important services were returned to operations quickly:


"For the most part, the production manufacturing operation did not miss a beat and we produced all customer shipments."

Over the next few weeks important milestones in the restoration process were made in tight collaboration between Progent team members and the client:

  • Internal web applications were returned to operation without losing any data.
  • The MailStore Exchange Server containing more than 4 million archived messages was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully operational.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Most of the user desktops and notebooks were fully operational.

"A lot of what happened in the initial days is nearly entirely a fog for me, but I will not soon forget the urgency all of the team put in to give us our business back. I have been working together with Progent for the past ten years, maybe more, and every time Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A likely business-killing disaster was dodged with dedicated experts, a wide range of subject matter expertise, and tight collaboration. Although in hindsight the ransomware penetration described here should have been identified and stopped with advanced cyber security technology and security best practices, user and IT administrator education, and properly executed security procedures for information protection and applying software patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were contributing), I'm grateful for letting me get some sleep after we got through the initial fire. Everyone did an amazing effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Addison a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence technology to detect new variants of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including blocking, infiltration detection, containment, remediation, and forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint management, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also help your company to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your data backup processes and allow non-disruptive backup and fast recovery of critical files, apps, images, and VMs. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, human mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to provide centralized control and comprehensive security for your email traffic. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of analysis for inbound email. For outbound email, the local gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, enhance and debug their connectivity appliances such as switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating tedious management activities, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating devices that need important updates, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your network running efficiently by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so all looming problems can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior machine learning technology to defend endpoints and physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely escape legacy signature-based AV products. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to address the entire malware attack progression including protection, identification, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Support Desk Managed Services
    Progent's Call Desk services enable your IT group to offload Help Desk services to Progent or split responsibilities for Help Desk services transparently between your in-house network support resources and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent supplement to your corporate network support staff. User access to the Help Desk, provision of support services, escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are cohesive whether issues are taken care of by your in-house IT support group, by Progent's team, or both. Read more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of all sizes a flexible and affordable alternative for assessing, validating, scheduling, applying, and documenting updates to your dynamic IT system. In addition to optimizing the protection and reliability of your IT environment, Progent's patch management services allow your IT staff to focus on more strategic initiatives and tasks that deliver maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication. Duo supports one-tap identity verification on iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected application and enter your password you are asked to confirm your identity on a unit that only you have and that uses a different network channel. A broad selection of out-of-band devices can be used as this added form of ID validation including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate several verification devices. To learn more about Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time reporting tools designed to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Addison Ransomware Remediation Experts, contact Progent at 800-462-8800 or go to Contact Progent.