Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a too-frequent cyber pandemic that represents an existential threat for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for many years and still cause havoc. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus daily unnamed viruses, not only encrypt on-line files but also infiltrate many configured system protection. Information synched to cloud environments can also be ransomed. In a poorly designed system, this can make any restoration impossible and effectively knocks the network back to zero.

Getting back applications and data after a ransomware event becomes a race against the clock as the targeted organization fights to stop lateral movement and eradicate the virus and to restore business-critical operations. Since ransomware needs time to replicate, attacks are frequently sprung at night, when penetrations may take longer to recognize. This compounds the difficulty of quickly marshalling and coordinating a capable mitigation team.

Progent provides a variety of help services for protecting businesses from ransomware events. These include user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of next-generation security gateways with machine learning capabilities from SentinelOne to identify and extinguish new threats intelligently. Progent also offers the services of veteran crypto-ransomware recovery engineers with the talent and perseverance to re-deploy a breached network as soon as possible.

Progent's Ransomware Restoration Help
Soon after a crypto-ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will provide the codes to decrypt all your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Without the availability of complete information backups, this requires a broad complement of IT skills, top notch project management, and the capability to work continuously until the recovery project is complete.

For two decades, Progent has made available expert IT services for companies in Adelaide and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security consultants have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of experience gives Progent the capability to quickly understand important systems and re-organize the surviving parts of your network system following a crypto-ransomware penetration and configure them into a functioning network.

Progent's ransomware team has best of breed project management applications to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting quickly and in concert with a customer's management and IT team members to assign priority to tasks and to get key systems back on-line as soon as possible.

Case Study: A Successful Ransomware Virus Recovery
A business engaged Progent after their company was crashed by the Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored hackers, possibly using strategies leaked from the U.S. National Security Agency. Ryuk goes after specific businesses with limited tolerance for disruption and is among the most lucrative iterations of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing business based in Chicago and has around 500 employees. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's information backups had been online at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (in excess of $200,000) and wishfully thinking for the best, but in the end called Progent.


"I cannot speak enough in regards to the expertise Progent gave us throughout the most fearful period of (our) company's existence. We most likely would have paid the cybercriminals if it wasn't for the confidence the Progent group provided us. That you were able to get our messaging and important applications back online quicker than one week was incredible. Each expert I spoke to or texted at Progent was hell bent on getting my company operational and was working non-stop to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the key applications that needed to be recovered to make it possible to continue business functions:

  • Windows Active Directory
  • Email
  • MRP System
To begin, Progent adhered to AV/Malware Processes penetration response best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the work of restoring Microsoft AD, the heart of enterprise networks built upon Microsoft Windows Server technology. Exchange email will not operate without Windows AD, and the client's MRP software used Microsoft SQL, which depends on Windows AD for security authorization to the databases.

In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then helped perform rebuilding and storage recovery on critical systems. All Exchange schema and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Off-Line Folder Files) on team workstations and laptops to recover mail information. A not too old off-line backup of the client's manufacturing systems made them able to restore these essential applications back online. Although significant work needed to be completed to recover completely from the Ryuk damage, essential systems were recovered rapidly:


"For the most part, the production operation did not miss a beat and we produced all customer shipments."

Throughout the next month important milestones in the recovery process were accomplished through close cooperation between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory modules were 100 percent restored.
  • A new Palo Alto 850 firewall was set up.
  • 90% of the user PCs were being used by staff.

"A lot of what happened those first few days is mostly a haze for me, but I will not soon forget the countless hours each of you put in to help get our business back. I've utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A likely business-killing catastrophe was averted by results-oriented experts, a wide array of technical expertise, and close teamwork. Although in post mortem the ransomware attack detailed here could have been identified and prevented with advanced cyber security technology solutions and best practices, team education, and well thought out security procedures for backup and keeping systems up to date with security patches, the fact remains that state-sponsored cybercriminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thanks very much for allowing me to get some sleep after we got over the most critical parts. All of you did an impressive effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Adelaide a range of remote monitoring and security evaluation services designed to help you to minimize the threat from crypto-ransomware. These services incorporate next-generation AI capability to detect zero-day variants of crypto-ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily escape legacy signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to manage the complete threat progression including filtering, identification, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that addresses your company's specific requirements and that helps you demonstrate compliance with government and industry data security regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate action. Progent's consultants can also help your company to install and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with leading backup technology companies to create ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup processes and allow non-disruptive backup and fast recovery of vital files/folders, applications, images, and virtual machines. ProSight DPS lets your business avoid data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, human mistakes, malicious insiders, or software bugs. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to provide web-based control and world-class security for your email traffic. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This decreases your vulnerability to external threats and saves network bandwidth and storage. Email Guard's onsite security gateway device provides a further level of analysis for inbound email. For outbound email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, track, optimize and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when problems are discovered. By automating complex management activities, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, locating devices that require critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your network operating at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management personnel and your Progent engineering consultant so all potential problems can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to 50% of time spent looking for critical information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT information. Whether you're planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis technology to guard endpoint devices as well as physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus products. Progent ASM services protect on-premises and cloud resources and offers a single platform to address the complete malware attack progression including protection, detection, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Support Center managed services permit your IT team to outsource Support Desk services to Progent or split responsibilities for support services transparently between your internal network support team and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your core IT support organization. End user access to the Service Desk, delivery of support, escalation, trouble ticket generation and tracking, efficiency measurement, and management of the service database are cohesive regardless of whether incidents are resolved by your corporate support staff, by Progent, or both. Read more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and affordable alternative for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving information network. Besides optimizing the protection and functionality of your computer network, Progent's patch management services free up time for your in-house IT staff to focus on line-of-business initiatives and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a secured online account and enter your password you are requested to confirm who you are on a unit that only you possess and that is accessed using a different network channel. A broad selection of out-of-band devices can be used as this added form of ID validation including an iPhone or Android or watch, a hardware/software token, a landline telephone, etc. You can designate several verification devices. For more information about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.
For 24/7 Adelaide Crypto Repair Help, reach out to Progent at 800-462-8800 or go to Contact Progent.