Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Different iterations of crypto-ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for a long time and continue to cause damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus frequent as yet unnamed viruses, not only do encryption of on-line data files but also infect any accessible system protection. Data replicated to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, this can render automated recovery hopeless and basically knocks the network back to square one.

Getting back online programs and information after a ransomware attack becomes a sprint against time as the targeted organization tries its best to contain and remove the ransomware and to resume enterprise-critical activity. Due to the fact that crypto-ransomware requires time to spread, penetrations are often sprung during weekends and nights, when attacks tend to take more time to identify. This multiplies the difficulty of rapidly marshalling and coordinating an experienced response team.

Progent offers an assortment of solutions for securing organizations from ransomware penetrations. Among these are team member education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security solutions with AI technology from SentinelOne to discover and disable zero-day threats intelligently. Progent also offers the assistance of expert ransomware recovery consultants with the track record and perseverance to reconstruct a breached system as quickly as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware event, sending the ransom demands in cryptocurrency does not ensure that cyber criminals will respond with the codes to decipher any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to piece back together the vital components of your Information Technology environment. Without access to full system backups, this requires a wide complement of skills, well-coordinated project management, and the willingness to work continuously until the job is completed.

For two decades, Progent has offered expert IT services for companies in Akron and throughout the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top certifications in important technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have garnered internationally-renowned industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience gives Progent the capability to rapidly understand important systems and integrate the surviving pieces of your Information Technology system after a ransomware attack and configure them into an operational network.

Progent's recovery team has state-of-the-art project management tools to orchestrate the complicated recovery process. Progent knows the importance of acting quickly and in unison with a customer's management and IT team members to assign priority to tasks and to get key systems back online as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business hired Progent after their network system was attacked by the Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state sponsored hackers, suspected of using algorithms leaked from America's National Security Agency. Ryuk targets specific companies with limited room for operational disruption and is among the most lucrative versions of crypto-ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has about 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's information backups had been online at the time of the attack and were eventually encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for the best, but in the end engaged Progent.


"I cannot speak enough about the support Progent gave us throughout the most fearful period of (our) company's existence. We most likely would have paid the Hackers if it wasn't for the confidence the Progent team gave us. That you were able to get our e-mail system and production applications back online sooner than one week was beyond my wildest dreams. Each expert I got help from or messaged at Progent was absolutely committed on getting us restored and was working breakneck pace to bail us out."

Progent worked with the customer to rapidly get our arms around and assign priority to the essential services that needed to be restored to make it possible to resume company functions:

  • Windows Active Directory
  • Email
  • MRP System
To get going, Progent followed Anti-virus event mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then started the task of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Exchange messaging will not operate without Windows AD, and the client's MRP software utilized SQL Server, which requires Active Directory for access to the information.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-intrusion state. Progent then assisted with rebuilding and storage recovery on key systems. All Exchange Server schema and attributes were usable, which greatly helped the restore of Exchange. Progent was able to assemble local OST files (Outlook Email Offline Data Files) on team workstations to recover email information. A not too old off-line backup of the businesses accounting/MRP software made them able to return these vital programs back on-line. Although significant work still had to be done to recover fully from the Ryuk damage, critical services were returned to operations rapidly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we produced all customer deliverables."

Over the next couple of weeks key milestones in the restoration project were accomplished through close collaboration between Progent team members and the customer:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Exchange Server containing more than 4 million archived emails was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were fully functional.
  • A new Palo Alto 850 security appliance was deployed.
  • Ninety percent of the desktops and laptops were back into operation.

"A huge amount of what transpired during the initial response is nearly entirely a haze for me, but we will not forget the dedication all of you put in to help get our company back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was a life saver."

Conclusion
A probable business-ending catastrophe was averted by results-oriented experts, a broad spectrum of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus attack described here could have been identified and blocked with advanced cyber security technology and best practices, user education, and appropriate security procedures for backup and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incursion, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), I'm grateful for letting me get rested after we got past the most critical parts. All of you did an incredible job, and if any of your guys is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Akron a portfolio of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence technology to detect new variants of crypto-ransomware that can get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to manage the entire malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent accessible from a single console. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services, a portfolio of offerings that deliver backup-as-a-service. ProSight DPS products automate and monitor your backup processes and enable transparent backup and fast restoration of important files/folders, apps, system images, and virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned insiders, or software glitches. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading data security companies to deliver centralized control and comprehensive security for all your email traffic. The powerful structure of Progent's Email Guard integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, track, reconfigure and troubleshoot their networking appliances like routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating time-consuming management activities, WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding devices that require critical updates, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your designated IT management staff and your assigned Progent consultant so that all looming problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT information. Whether you're making improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior machine learning tools to defend endpoint devices and servers and VMs against new malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including blocking, detection, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Support Desk Managed Services
    Progent's Support Center managed services allow your information technology group to offload Support Desk services to Progent or split activity for support services seamlessly between your in-house network support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a smooth supplement to your core network support resources. User interaction with the Help Desk, delivery of support, issue escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the support database are cohesive regardless of whether incidents are taken care of by your internal IT support staff, by Progent, or by a combination. Find out more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a flexible and affordable alternative for assessing, testing, scheduling, applying, and tracking updates to your dynamic information network. Besides optimizing the security and functionality of your computer network, Progent's patch management services permit your in-house IT staff to concentrate on more strategic initiatives and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected online account and give your password you are requested to confirm your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be utilized for this added form of ID validation including a smartphone or wearable, a hardware token, a landline phone, etc. You may designate multiple verification devices. To find out more about Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time management reporting utilities created to integrate with the industry's top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Akron 24-Hour Ransomware Recovery Services, contact Progent at 800-462-8800 or go to Contact Progent.