Ransomware : Your Worst IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an existential threat for organizations unprepared for an attack. Multiple generations of ransomware like the CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for years and still cause destruction. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with frequent as yet unnamed malware, not only encrypt on-line critical data but also infiltrate most configured system backup. Information synched to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, it can render automated recovery impossible and effectively knocks the entire system back to zero.

Getting back on-line applications and information following a ransomware event becomes a race against the clock as the targeted business fights to contain the damage and remove the virus and to restore business-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are usually sprung on weekends, when penetrations are likely to take more time to uncover. This multiplies the difficulty of promptly assembling and organizing a capable mitigation team.

Progent has an assortment of support services for securing organizations from ransomware penetrations. These include user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with AI technology from SentinelOne to detect and quarantine day-zero cyber threats automatically. Progent also can provide the services of seasoned crypto-ransomware recovery engineers with the talent and commitment to restore a compromised environment as urgently as possible.

Progent's Ransomware Restoration Help
Following a crypto-ransomware event, even paying the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the needed codes to decipher any or all of your files. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the key components of your Information Technology environment. Without the availability of full system backups, this requires a wide complement of skills, professional project management, and the willingness to work non-stop until the recovery project is completed.

For two decades, Progent has offered expert Information Technology services for businesses in Akron and throughout the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded top industry certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have garnered internationally-recognized certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of experience provides Progent the ability to knowledgably identify critical systems and re-organize the surviving parts of your IT environment following a ransomware penetration and configure them into a functioning system.

Progent's ransomware group deploys best of breed project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of acting swiftly and in concert with a client's management and Information Technology staff to assign priority to tasks and to put critical services back on line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Virus Recovery
A client hired Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, possibly adopting approaches exposed from the United States National Security Agency. Ryuk attacks specific businesses with limited ability to sustain disruption and is among the most lucrative examples of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in Chicago and has about 500 staff members. The Ryuk attack had paralyzed all business operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the intrusion and were encrypted. The client was evaluating paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately utilized Progent.


"I cannot speak enough about the care Progent gave us during the most fearful period of (our) company's survival. We would have paid the cybercriminals except for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and important applications back sooner than 1 week was beyond my wildest dreams. Every single expert I worked with or messaged at Progent was totally committed on getting my company operational and was working breakneck pace on our behalf."

Progent worked together with the client to rapidly identify and assign priority to the essential elements that had to be addressed to make it possible to resume business functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent followed ransomware penetration mitigation best practices by stopping the spread and removing active viruses. Progent then started the process of recovering Windows Active Directory, the foundation of enterprise environments built on Microsoft technology. Exchange email will not operate without AD, and the customer's MRP applications utilized Microsoft SQL, which depends on Windows AD for authentication to the data.

Within two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then initiated reinstallations and storage recovery of mission critical servers. All Exchange schema and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on staff workstations to recover email information. A not too old offline backup of the client's financials/ERP software made it possible to recover these required services back online. Although major work still had to be done to recover completely from the Ryuk damage, core systems were restored rapidly:


"For the most part, the production operation survived unscathed and we produced all customer sales."

Throughout the next month critical milestones in the recovery process were made in close cooperation between Progent engineers and the client:

  • Internal web applications were brought back up without losing any information.
  • The MailStore Server with over four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100% operational.
  • A new Palo Alto 850 security appliance was installed.
  • Nearly all of the user desktops were operational.

"So much of what was accomplished during the initial response is nearly entirely a fog for me, but I will not forget the urgency all of you put in to give us our company back. I've utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This event was a stunning achievement."

Conclusion
A probable business-killing catastrophe was evaded due to top-tier experts, a wide array of IT skills, and tight teamwork. Although in retrospect the ransomware virus incident described here should have been identified and prevented with up-to-date security systems and NIST Cybersecurity Framework best practices, user education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we made it over the initial push. All of you did an amazing job, and if any of your guys is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Akron a portfolio of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning technology to uncover zero-day variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including filtering, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services deliver economical multi-layer protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools packaged within a single agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique needs and that helps you prove compliance with government and industry data security regulations. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for urgent action. Progent can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services, a selection of management offerings that deliver backup-as-a-service. ProSight DPS services automate and track your backup processes and enable non-disruptive backup and rapid restoration of important files, apps, images, and virtual machines. ProSight DPS lets you protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human error, malicious employees, or application bugs. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to provide centralized management and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway device adds a further layer of inspection for incoming email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, enhance and debug their networking hardware such as switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when problems are detected. By automating complex management processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, locating appliances that need critical software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system running at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management personnel and your assigned Progent consultant so that any looming problems can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based machine learning technology to guard endpoints as well as servers and VMs against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. Progent ASM services safeguard local and cloud resources and offers a single platform to address the complete malware attack progression including protection, identification, containment, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Call Center Managed Services
    Progent's Help Center services enable your IT staff to offload Help Desk services to Progent or divide responsibilities for support services seamlessly between your in-house support resources and Progent's extensive roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth supplement to your internal IT support group. Client interaction with the Help Desk, delivery of support, escalation, trouble ticket generation and tracking, efficiency metrics, and management of the support database are consistent whether issues are taken care of by your corporate support group, by Progent's team, or both. Read more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking updates to your ever-evolving IT system. In addition to optimizing the protection and functionality of your computer network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business initiatives and tasks that derive the highest business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With 2FA, whenever you log into a secured application and enter your password you are requested to verify who you are on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this added means of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register multiple validation devices. For details about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time reporting utilities designed to integrate with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Akron 24-7 Crypto Removal Consultants, contact Progent at 800-462-8800 or go to Contact Progent.