Crypto-Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an extinction-level danger for businesses of all sizes poorly prepared for an assault. Versions of ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict destruction. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as additional unnamed viruses, not only encrypt on-line data but also infiltrate all available system protection mechanisms. Files synchronized to the cloud can also be ransomed. In a poorly architected environment, this can render automated recovery useless and effectively knocks the entire system back to zero.

Restoring services and data following a ransomware attack becomes a race against time as the victim fights to stop the spread, eradicate the crypto-ransomware, and resume business-critical operations. Since ransomware takes time to spread, assaults are often sprung on weekends and holidays, when successful attacks in many cases take more time to recognize. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable mitigation team.

Progent has an assortment of help services for protecting organizations from ransomware events. These include team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security solutions with artificial intelligence technology from SentinelOne to discover and disable day-zero threats automatically. Progent also provides the services of seasoned ransomware recovery consultants with the talent and commitment to re-deploy a breached network as urgently as possible.

Progent's Ransomware Recovery Help
Subsequent to a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the needed codes to unencrypt all your data. Kaspersky estimated that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The other path is to setup from scratch the essential components of your Information Technology environment. Without the availability of full information backups, this calls for a broad range of skill sets, well-coordinated team management, and the capability to work 24x7 until the task is done.

For twenty years, Progent has provided expert Information Technology services for businesses across the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise with financial systems and ERP software solutions. This breadth of expertise gives Progent the ability to quickly determine necessary systems and integrate the surviving pieces of your network system after a ransomware event and assemble them into an operational system.

Progent's recovery group utilizes top notch project management systems to coordinate the sophisticated restoration process. Progent understands the importance of acting rapidly and in concert with a customer's management and IT resources to assign priority to tasks and to put key applications back online as fast as possible.

Client Story: A Successful Crypto-Ransomware Virus Recovery
A client hired Progent after their company was penetrated by the Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored criminal gangs, possibly using techniques leaked from America's NSA organization. Ryuk goes after specific businesses with little or no room for disruption and is one of the most lucrative instances of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing business located in the Chicago metro area with around 500 staff members. The Ryuk intrusion had brought down all company operations and manufacturing processes. The majority of the client's data protection had been online at the time of the attack and were damaged. The client was actively seeking loans for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.


"I can't thank you enough about the expertise Progent provided us throughout the most stressful period of (our) businesses life. We would have paid the criminal gangs except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and key applications back on-line sooner than a week was incredible. Each expert I worked with or e-mailed at Progent was absolutely committed on getting us operational and was working non-stop to bail us out."

Progent worked hand in hand the customer to rapidly understand and prioritize the key services that needed to be restored to make it possible to restart business operations:

  • Active Directory
  • Exchange Server
  • Accounting/MRP
To begin, Progent adhered to ransomware event mitigation industry best practices by stopping the spread and removing active viruses. Progent then initiated the process of recovering Windows Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the client's accounting and MRP applications used Microsoft SQL, which needs Active Directory services for authentication to the database.

Within 2 days, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of mission critical servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect non-encrypted OST files (Microsoft Outlook Off-Line Folder Files) on staff desktop computers and laptops to recover email messages. A not too old offline backup of the businesses financials/ERP software made them able to return these required services back available to users. Although a large amount of work remained to recover completely from the Ryuk damage, core services were returned to operations rapidly:


"For the most part, the production operation survived unscathed and we did not miss any customer orders."

During the following few weeks key milestones in the recovery process were accomplished through close collaboration between Progent engineers and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were completely recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the desktop computers were back into operation.

"So much of what occurred during the initial response is nearly entirely a blur for me, but my team will not forget the dedication all of your team put in to give us our company back. I have been working together with Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered. This event was a stunning achievement."

Conclusion
A probable business catastrophe was dodged due to results-oriented experts, a wide range of subject matter expertise, and tight teamwork. Although upon completion of forensics the ransomware penetration described here could have been identified and stopped with modern security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for making it so I could get some sleep after we got through the first week. All of you did an impressive job, and if any of your team is around the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Adelaide a variety of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of ransomware that can evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which easily escape traditional signature-matching AV products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to automate the complete malware attack lifecycle including blocking, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's security and virtualization experts can help your business to plan and implement a ProSight ESP environment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent action. Progent can also help you to install and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow non-disruptive backup and fast recovery of critical files, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, user error, malicious insiders, or application bugs. Managed services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to provide web-based control and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of inspection for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, track, reconfigure and debug their networking appliances such as switches, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch ensures that network diagrams are always updated, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, finding devices that require important software patches, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management techniques to keep your IT system operating efficiently by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so that all looming issues can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By updating and organizing your IT documentation, you can save as much as half of time wasted looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to guard endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily escape legacy signature-matching AV products. Progent Active Security Monitoring services protect local and cloud resources and offers a single platform to address the entire threat lifecycle including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Call Center services enable your information technology staff to outsource Call Center services to Progent or divide responsibilities for support services transparently between your in-house network support resources and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent extension of your core network support organization. End user interaction with the Help Desk, provision of technical assistance, issue escalation, ticket creation and updates, performance metrics, and maintenance of the support database are consistent regardless of whether incidents are resolved by your in-house IT support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and affordable solution for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your dynamic IT network. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you sign into a protected online account and enter your password you are requested to verify who you are via a unit that only you have and that uses a different ("out-of-band") network channel. A broad range of devices can be utilized as this second means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. For details about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time and in-depth management reporting tools created to integrate with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-through or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Adelaide Ransomware Cleanup Help, call Progent at 800-462-8800 or go to Contact Progent.