Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an enterprise-level threat for organizations poorly prepared for an assault. Multiple generations of ransomware like the CrySIS, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and still cause havoc. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily unnamed viruses, not only do encryption of online files but also infiltrate any configured system protection. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected system, it can make automatic recovery useless and basically knocks the entire system back to zero.

Getting back programs and information following a crypto-ransomware event becomes a sprint against time as the targeted business tries its best to contain the damage, clear the ransomware, and restore enterprise-critical activity. Since ransomware takes time to move laterally, attacks are often launched on weekends, when penetrations may take more time to uncover. This compounds the difficulty of quickly assembling and organizing a capable mitigation team.

Progent offers an assortment of solutions for securing businesses from crypto-ransomware attacks. Among these are staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with AI technology from SentinelOne to identify and suppress zero-day cyber threats quickly. Progent in addition can provide the assistance of experienced crypto-ransomware recovery engineers with the skills and perseverance to re-deploy a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the keys to decrypt any of your files. Kaspersky determined that 17% of crypto-ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions of dollars. The other path is to re-install the mission-critical elements of your IT environment. Absent access to essential information backups, this requires a broad range of skills, top notch project management, and the willingness to work continuously until the job is finished.

For two decades, Progent has provided certified expert Information Technology services for businesses across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience gives Progent the ability to efficiently ascertain necessary systems and integrate the surviving pieces of your network environment after a ransomware penetration and configure them into an operational system.

Progent's recovery team uses best of breed project management systems to coordinate the complicated restoration process. Progent understands the urgency of working swiftly and in concert with a customer's management and Information Technology team members to assign priority to tasks and to put essential systems back on line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Restoration
A business escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been deployed by North Korean state criminal gangs, suspected of using approaches exposed from the United States National Security Agency. Ryuk attacks specific businesses with limited room for operational disruption and is among the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has about 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom (more than $200,000) and praying for the best, but ultimately utilized Progent.


"I cannot say enough about the support Progent provided us during the most stressful period of (our) businesses survival. We had little choice but to pay the cybercriminals except for the confidence the Progent team afforded us. That you were able to get our e-mail and production applications back in less than five days was earth shattering. Every single person I interacted with or messaged at Progent was urgently focused on getting us operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to rapidly assess and assign priority to the key elements that had to be restored in order to continue company operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To begin, Progent followed AV/Malware Processes event response industry best practices by halting lateral movement and disinfecting systems. Progent then began the process of restoring Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without Windows AD, and the customer's accounting and MRP software utilized Microsoft SQL, which requires Active Directory services for access to the database.

In less than 48 hours, Progent was able to restore Active Directory to its pre-virus state. Progent then performed reinstallations and hard drive recovery on the most important systems. All Microsoft Exchange Server data and attributes were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST files (Outlook Email Offline Folder Files) on user desktop computers and laptops in order to recover email data. A recent offline backup of the businesses accounting/MRP software made them able to recover these essential applications back servicing users. Although significant work still had to be done to recover totally from the Ryuk attack, core systems were restored quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer deliverables."

During the following couple of weeks key milestones in the restoration process were accomplished through close cooperation between Progent consultants and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was spun up and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the user desktops and notebooks were back into operation.

"A huge amount of what happened those first few days is mostly a haze for me, but our team will not soon forget the commitment each and every one of your team put in to help get our company back. I have trusted Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This time was a testament to your capabilities."

Conclusion
A probable business-ending disaster was evaded due to dedicated professionals, a broad spectrum of knowledge, and close teamwork. Although upon completion of forensics the crypto-ransomware attack detailed here would have been blocked with current cyber security solutions and ISO/IEC 27001 best practices, user training, and properly executed security procedures for information backup and proper patching controls, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get rested after we got over the most critical parts. Everyone did an fabulous effort, and if anyone that helped is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Albany a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect new strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based analysis tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to manage the complete threat progression including protection, identification, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth security for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering through leading-edge technologies packaged within one agent managed from a single console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your organization's unique needs and that helps you prove compliance with government and industry information protection regulations. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent's consultants can also help your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with leading backup/restore technology companies to create ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and allow non-disruptive backup and rapid restoration of vital files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by hardware breakdown, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to provide web-based control and comprehensive protection for all your email traffic. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This decreases your exposure to external attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further level of inspection for inbound email. For outgoing email, the on-premises gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map, track, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and load balancers plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are always current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating complex network management processes, WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating appliances that require important updates, or resolving performance problems. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your IT system operating at peak levels by checking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT personnel and your Progent engineering consultant so all potential problems can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data about your IT infrastructure, processes, business apps, and services. You can instantly find passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based machine learning technology to defend endpoints and servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-based AV products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to manage the complete threat progression including blocking, detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Center: Call Center Managed Services
    Progent's Help Center services enable your information technology group to outsource Call Center services to Progent or divide responsibilities for support services transparently between your in-house network support staff and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Shared Service Desk provides a smooth supplement to your internal IT support team. Client interaction with the Service Desk, delivery of technical assistance, problem escalation, ticket creation and tracking, efficiency metrics, and management of the service database are consistent whether issues are resolved by your corporate network support staff, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a flexible and affordable solution for assessing, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. In addition to optimizing the protection and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to focus on more strategic initiatives and activities that deliver maximum business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with Apple iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a secured application and enter your password you are asked to confirm who you are on a unit that only you possess and that uses a separate network channel. A broad range of devices can be utilized as this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. For details about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of in-depth management reporting plug-ins designed to work with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7 Albany Crypto Removal Help, call Progent at 800-462-8800 or go to Contact Progent.