Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that represents an existential danger for businesses vulnerable to an attack. Different versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and still inflict destruction. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent unnamed newcomers, not only do encryption of on-line critical data but also infect all accessible system backup. Information replicated to the cloud can also be corrupted. In a vulnerable environment, it can make automatic restore operations useless and basically sets the entire system back to zero.

Getting back programs and data after a ransomware intrusion becomes a race against the clock as the targeted business fights to stop the spread, cleanup the virus, and resume enterprise-critical operations. Since ransomware takes time to spread, penetrations are usually launched on weekends and holidays, when penetrations may take more time to recognize. This multiplies the difficulty of promptly mobilizing and coordinating an experienced mitigation team.

Progent offers an assortment of services for protecting organizations from ransomware penetrations. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security appliances with AI capabilities from SentinelOne to discover and disable new cyber threats rapidly. Progent in addition offers the assistance of experienced crypto-ransomware recovery consultants with the skills and commitment to reconstruct a breached network as quickly as possible.

Progent's Ransomware Restoration Services
Following a ransomware invasion, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the keys to unencrypt all your files. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The alternative is to piece back together the vital elements of your Information Technology environment. Absent access to complete data backups, this requires a wide complement of skill sets, professional team management, and the willingness to work non-stop until the recovery project is done.

For twenty years, Progent has offered certified expert IT services for companies across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience gives Progent the skills to knowledgably identify necessary systems and integrate the remaining parts of your network environment after a ransomware attack and configure them into an operational network.

Progent's recovery team of experts has top notch project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of working quickly and in unison with a client's management and IT team members to assign priority to tasks and to get essential systems back on line as fast as possible.

Client Story: A Successful Crypto-Ransomware Virus Restoration
A small business engaged Progent after their organization was penetrated by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state cybercriminals, possibly using techniques leaked from the U.S. NSA organization. Ryuk attacks specific businesses with limited tolerance for disruption and is among the most profitable instances of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer headquartered in the Chicago metro area and has about 500 employees. The Ryuk attack had shut down all company operations and manufacturing processes. The majority of the client's data protection had been directly accessible at the time of the intrusion and were encrypted. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but ultimately utilized Progent.


"I can't say enough about the care Progent gave us throughout the most stressful time of (our) company's life. We would have paid the Hackers if not for the confidence the Progent experts afforded us. That you were able to get our messaging and important applications back faster than a week was earth shattering. Each person I interacted with or texted at Progent was urgently focused on getting us back on-line and was working all day and night on our behalf."

Progent worked together with the client to rapidly get our arms around and prioritize the most important systems that needed to be recovered to make it possible to restart business operations:

  • Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to Anti-virus incident mitigation industry best practices by halting lateral movement and disinfecting systems. Progent then started the work of rebuilding Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange email will not work without Windows AD, and the customer's accounting and MRP applications utilized SQL Server, which requires Windows AD for access to the information.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then performed setup and storage recovery of critical servers. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Folder Files) on staff workstations and laptops in order to recover mail information. A not too old offline backup of the businesses financials/ERP software made it possible to restore these vital applications back available to users. Although major work still had to be done to recover totally from the Ryuk event, essential systems were recovered quickly:


"For the most part, the production operation survived unscathed and we delivered all customer sales."

Throughout the following month key milestones in the restoration project were completed through close cooperation between Progent engineers and the customer:

  • In-house web sites were restored with no loss of data.
  • The MailStore Server containing more than 4 million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control functions were fully operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Most of the user desktops and notebooks were operational.

"A lot of what was accomplished in the initial days is mostly a haze for me, but my team will not forget the countless hours each of the team accomplished to help get our business back. I have utilized Progent for at least 10 years, possibly more, and every time Progent has come through and delivered as promised. This situation was a stunning achievement."

Conclusion
A possible business-ending catastrophe was evaded by dedicated professionals, a wide array of knowledge, and close collaboration. Although in analyzing the event afterwards the ransomware attack detailed here would have been stopped with advanced cyber security technology solutions and recognized best practices, team training, and properly executed incident response procedures for data protection and applying software patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a crypto-ransomware incident, remember that Progent's roster of professionals has proven experience in ransomware virus defense, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we got over the initial fire. Everyone did an incredible effort, and if anyone is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Akron a variety of online monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize next-generation AI technology to detect new strains of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily escape legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to address the complete threat progression including blocking, infiltration detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth security for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP deployment that meets your company's unique needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup technology companies to produce ProSight Data Protection Services, a selection of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup processes and allow transparent backup and rapid recovery of critical files/folders, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to provide centralized management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also assist Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, reconfigure and debug their connectivity hardware such as routers, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, locating appliances that need critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to keep your network operating at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so all potential problems can be addressed before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be moved immediately to a different hosting solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information related to your IT infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time thrown away looking for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning improvements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning tools to defend endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily escape legacy signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a unified platform to manage the entire malware attack lifecycle including protection, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Call Center managed services allow your IT staff to outsource Call Center services to Progent or split responsibilities for Help Desk services seamlessly between your internal network support group and Progent's extensive roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a seamless extension of your corporate network support organization. Client interaction with the Service Desk, provision of support services, escalation, trouble ticket creation and tracking, performance metrics, and maintenance of the service database are consistent whether issues are resolved by your in-house IT support organization, by Progent, or a mix of the two. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and functionality of your computer network, Progent's patch management services permit your IT staff to concentrate on more strategic initiatives and activities that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a protected application and enter your password you are asked to confirm your identity via a device that only you have and that is accessed using a different network channel. A wide selection of out-of-band devices can be used as this second means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may register multiple validation devices. To learn more about ProSight Duo identity validation services, go to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time reporting utilities designed to work with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-up or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Akron 24/7 Crypto Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.