Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an extinction-level threat for businesses of all sizes vulnerable to an attack. Multiple generations of crypto-ransomware such as Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for a long time and still inflict harm. Newer variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as frequent as yet unnamed viruses, not only encrypt online data files but also infect many configured system protection mechanisms. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected system, this can render automatic restore operations useless and basically sets the entire system back to zero.

Recovering applications and information following a crypto-ransomware event becomes a race against time as the targeted organization tries its best to stop the spread and eradicate the virus and to resume enterprise-critical activity. Due to the fact that ransomware takes time to spread, assaults are usually sprung during nights and weekends, when attacks in many cases take more time to detect. This multiplies the difficulty of rapidly mobilizing and orchestrating a knowledgeable mitigation team.

Progent has a range of solutions for protecting businesses from crypto-ransomware attacks. These include staff training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with artificial intelligence capabilities from SentinelOne to detect and quarantine zero-day cyber threats quickly. Progent also provides the assistance of veteran ransomware recovery engineers with the talent and commitment to restore a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will respond with the codes to decipher all your files. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the vital parts of your IT environment. Absent access to essential information backups, this calls for a broad complement of IT skills, professional team management, and the capability to work continuously until the recovery project is completed.

For decades, Progent has made available expert Information Technology services for businesses in Anaheim and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience affords Progent the capability to quickly understand necessary systems and organize the surviving pieces of your network system after a ransomware attack and configure them into an operational system.

Progent's ransomware group has powerful project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of working rapidly and together with a customer�s management and IT staff to prioritize tasks and to get key services back on line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Recovery
A customer hired Progent after their organization was taken over by Ryuk crypto-ransomware. Ryuk is believed to have been created by North Korean state criminal gangs, suspected of using algorithms leaked from the U.S. National Security Agency. Ryuk seeks specific companies with little or no ability to sustain operational disruption and is one of the most profitable incarnations of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturer headquartered in the Chicago metro area with around 500 workers. The Ryuk penetration had frozen all business operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was pursuing financing for paying the ransom demand (more than $200K) and hoping for good luck, but in the end brought in Progent.


"I can�t thank you enough in regards to the care Progent gave us throughout the most critical period of (our) company�s survival. We had little choice but to pay the criminal gangs if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and important applications back faster than seven days was beyond my wildest dreams. Every single staff member I got help from or e-mailed at Progent was totally committed on getting us back on-line and was working 24/7 to bail us out."

Progent worked together with the customer to rapidly determine and prioritize the mission critical elements that needed to be addressed in order to continue business functions:

  • Active Directory (AD)
  • Electronic Mail
  • Accounting/MRP
To start, Progent followed AV/Malware Processes event mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then began the steps of recovering Windows Active Directory, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not operate without AD, and the client's MRP software used Microsoft SQL Server, which requires Active Directory for access to the information.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then completed rebuilding and storage recovery on needed applications. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Offline Folder Files) on user workstations in order to recover mail data. A recent off-line backup of the client's accounting software made them able to restore these vital services back online for users. Although major work needed to be completed to recover fully from the Ryuk virus, core systems were recovered rapidly:


"For the most part, the assembly line operation was never shut down and we delivered all customer orders."

Throughout the following couple of weeks key milestones in the recovery process were accomplished through tight collaboration between Progent team members and the customer:

  • Internal web applications were returned to operation with no loss of information.
  • The MailStore Server with over four million archived emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the desktops and laptops were operational.

"Much of what transpired that first week is nearly entirely a haze for me, but our team will not forget the dedication each and every one of the team put in to give us our business back. I�ve utilized Progent for the past ten years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This event was no exception but maybe more Herculean."

Conclusion
A likely business-killing catastrophe was avoided through the efforts of hard-working experts, a wide spectrum of subject matter expertise, and close collaboration. Although in retrospect the ransomware attack detailed here could have been identified and blocked with advanced cyber security systems and recognized best practices, user and IT administrator training, and well designed incident response procedures for information protection and applying software patches, the fact remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, remediation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thanks very much for allowing me to get rested after we got through the most critical parts. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Anaheim a range of remote monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to detect new strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to manage the complete threat lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge technologies packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP deployment that meets your company's unique needs and that allows you demonstrate compliance with legal and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent's consultants can also assist your company to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and allow transparent backup and rapid restoration of important files/folders, apps, images, plus VMs. ProSight DPS lets your business recover from data loss caused by equipment breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed backup services in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading data security vendors to deliver web-based control and world-class security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your exposure to external attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when potential issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, finding appliances that require important updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your designated IT staff and your assigned Progent consultant so any potential issues can be addressed before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. With the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs or domains. By cleaning up and managing your network documentation, you can save up to 50% of time wasted looking for critical information about your network. ProSight IT Asset Management features a common repository for holding and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youre planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based machine learning tools to defend endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. Progent ASM services protect on-premises and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Center: Call Center Managed Services
    Progent's Call Desk managed services allow your information technology team to outsource Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your internal support resources and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless extension of your in-house IT support organization. End user interaction with the Service Desk, delivery of support services, escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are cohesive regardless of whether incidents are taken care of by your internal IT support resources, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective solution for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving information network. Besides optimizing the security and reliability of your IT environment, Progent's patch management services permit your in-house IT team to focus on more strategic projects and activities that deliver the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation on iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and give your password you are asked to verify your identity on a device that only you possess and that uses a separate network channel. A broad selection of out-of-band devices can be used for this second form of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate several validation devices. To learn more about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services.
For 24x7x365 Anaheim Crypto-Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.