Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level danger for businesses unprepared for an assault. Different iterations of ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and still inflict damage. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus frequent as yet unnamed viruses, not only encrypt on-line files but also infiltrate any available system backups. Data synched to the cloud can also be rendered useless. In a vulnerable environment, it can render any restoration impossible and effectively sets the datacenter back to zero.

Getting back applications and information after a ransomware intrusion becomes a sprint against the clock as the victim tries its best to stop lateral movement and clear the ransomware and to resume mission-critical operations. Since ransomware needs time to spread, attacks are often launched at night, when successful attacks in many cases take more time to uncover. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable response team.

Progent offers a range of support services for securing enterprises from ransomware penetrations. These include staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security appliances with machine learning technology from SentinelOne to identify and quarantine zero-day cyber attacks rapidly. Progent also can provide the assistance of seasoned ransomware recovery consultants with the track record and perseverance to rebuild a breached system as rapidly as possible.

Progent's Ransomware Restoration Services
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed keys to unencrypt any of your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the vital parts of your Information Technology environment. Without the availability of full data backups, this requires a broad complement of skill sets, top notch team management, and the capability to work non-stop until the task is finished.

For twenty years, Progent has provided expert IT services for companies in Albany and throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned advanced industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience provides Progent the skills to rapidly determine critical systems and organize the surviving parts of your IT environment after a ransomware penetration and assemble them into a functioning system.

Progent's recovery team of experts utilizes best of breed project management applications to orchestrate the complicated recovery process. Progent appreciates the importance of acting rapidly and together with a client's management and Information Technology team members to assign priority to tasks and to put key systems back on line as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A business contacted Progent after their company was attacked by Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, possibly using algorithms exposed from the U.S. NSA organization. Ryuk targets specific companies with little or no room for operational disruption and is one of the most profitable examples of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer headquartered in the Chicago metro area and has about 500 employees. The Ryuk intrusion had paralyzed all business operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (more than $200,000) and praying for the best, but in the end called Progent.


"I can't say enough in regards to the support Progent provided us during the most fearful time of (our) company's life. We may have had to pay the cybercriminals except for the confidence the Progent group afforded us. That you were able to get our messaging and critical applications back online quicker than a week was beyond my wildest dreams. Every single expert I talked with or communicated with at Progent was totally committed on getting us back on-line and was working non-stop to bail us out."

Progent worked together with the client to rapidly identify and prioritize the essential systems that needed to be restored to make it possible to restart departmental functions:

  • Active Directory
  • Exchange Server
  • MRP System
To begin, Progent adhered to AV/Malware Processes penetration mitigation best practices by halting the spread and removing active viruses. Progent then began the process of restoring Microsoft Active Directory, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the customer's accounting and MRP applications leveraged SQL Server, which requires Windows AD for access to the data.

Within 2 days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery on key systems. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Off-Line Folder Files) on staff desktop computers and laptops to recover mail messages. A recent offline backup of the customer's accounting/ERP systems made them able to restore these required applications back available to users. Although a lot of work needed to be completed to recover totally from the Ryuk event, critical services were recovered rapidly:


"For the most part, the production operation was never shut down and we made all customer orders."

Over the following month critical milestones in the recovery process were achieved through close collaboration between Progent team members and the customer:

  • Internal web sites were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived emails was brought online and accessible to users.
  • CRM/Orders/Invoicing/AP/AR/Inventory capabilities were 100% operational.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Most of the user workstations were operational.

"A lot of what happened in the initial days is mostly a fog for me, but I will not soon forget the commitment each of you accomplished to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A possible business-ending catastrophe was avoided by results-oriented experts, a broad array of subject matter expertise, and close collaboration. Although in retrospect the ransomware incident described here could have been identified and disabled with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and well designed security procedures for information protection and proper patching controls, the fact is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has proven experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thanks very much for allowing me to get some sleep after we got past the initial fire. Everyone did an impressive effort, and if anyone is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Albany a portfolio of online monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include next-generation AI technology to detect zero-day variants of crypto-ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the entire threat progression including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical multi-layer protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, device control, and web filtering via leading-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products manage and track your data backup operations and allow transparent backup and rapid recovery of important files/folders, applications, system images, and VMs. ProSight DPS helps you recover from data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks like ransomware, user error, malicious employees, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security vendors to deliver web-based control and comprehensive security for all your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with a local security gateway device to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite security gateway device provides a deeper level of inspection for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, monitor, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and generates alerts when potential issues are detected. By automating time-consuming management activities, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that require critical updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to keep your network running efficiently by tracking the health of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT staff and your Progent engineering consultant so that all looming issues can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a fast virtual host configured and managed by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the applications. Because the system is virtualized, it can be ported immediately to a different hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to guard endpoint devices as well as servers and VMs against new malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to address the complete threat progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Help Desk services allow your IT staff to outsource Help Desk services to Progent or split activity for support services seamlessly between your in-house network support group and Progent's nationwide pool of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a smooth extension of your core IT support staff. End user interaction with the Service Desk, delivery of support, issue escalation, trouble ticket creation and updates, efficiency metrics, and management of the support database are consistent regardless of whether issues are resolved by your core support staff, by Progent, or both. Learn more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information system. Besides optimizing the security and reliability of your IT environment, Progent's patch management services allow your IT team to focus on more strategic initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo supports one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, when you log into a protected online account and enter your password you are requested to confirm who you are on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be used as this added form of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To learn more about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time management reporting utilities designed to integrate with the leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like inconsistent support follow-through or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Albany 24-Hour CryptoLocker Recovery Experts, contact Progent at 800-462-8800 or go to Contact Progent.