Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that poses an extinction-level threat for businesses poorly prepared for an assault. Versions of ransomware like the Reveton, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for a long time and continue to inflict havoc. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with daily unnamed newcomers, not only encrypt online data but also infect most available system backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, it can make automatic recovery impossible and basically sets the datacenter back to zero.

Recovering programs and data after a ransomware outage becomes a race against the clock as the targeted business struggles to contain the damage and clear the ransomware and to restore mission-critical activity. Since ransomware takes time to move laterally, attacks are usually launched during nights and weekends, when attacks may take more time to detect. This compounds the difficulty of promptly marshalling and coordinating a capable mitigation team.

Progent makes available an assortment of solutions for protecting businesses from crypto-ransomware events. Among these are team education to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with AI technology from SentinelOne to discover and extinguish day-zero cyber threats intelligently. Progent in addition offers the services of veteran crypto-ransomware recovery consultants with the talent and commitment to restore a breached system as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware event, paying the ransom in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decrypt any of your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the key components of your Information Technology environment. Without the availability of full information backups, this requires a wide range of IT skills, professional team management, and the willingness to work continuously until the job is finished.

For twenty years, Progent has made available certified expert IT services for companies in Anaheim and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of expertise provides Progent the capability to knowledgably determine necessary systems and organize the remaining components of your IT environment following a ransomware event and configure them into an operational system.

Progent's recovery team of experts utilizes best of breed project management systems to orchestrate the complex restoration process. Progent appreciates the importance of working rapidly and together with a client's management and Information Technology resources to prioritize tasks and to put the most important applications back on line as fast as possible.

Case Study: A Successful Ransomware Attack Recovery
A small business escalated to Progent after their network system was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state sponsored hackers, possibly using technology leaked from America's National Security Agency. Ryuk seeks specific organizations with limited room for disruption and is one of the most profitable instances of ransomware malware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the time of the attack and were destroyed. The client was pursuing financing for paying the ransom (in excess of two hundred thousand dollars) and hoping for the best, but in the end called Progent.


"I cannot say enough in regards to the expertise Progent provided us throughout the most fearful time of (our) businesses existence. We may have had to pay the hackers behind this attack if not for the confidence the Progent experts provided us. That you could get our e-mail and production applications back online faster than five days was amazing. Each expert I worked with or communicated with at Progent was amazingly focused on getting our system up and was working non-stop to bail us out."

Progent worked with the client to quickly determine and assign priority to the mission critical elements that needed to be addressed in order to resume departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent followed ransomware penetration mitigation best practices by halting the spread and removing active viruses. Progent then began the task of bringing back online Microsoft AD, the core of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not function without Windows AD, and the client's financials and MRP applications used SQL Server, which depends on Active Directory for access to the data.

In less than two days, Progent was able to re-build Active Directory to its pre-intrusion state. Progent then initiated reinstallations and hard drive recovery of mission critical systems. All Microsoft Exchange Server ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Data Files) on team desktop computers and laptops to recover mail data. A recent off-line backup of the businesses manufacturing software made it possible to restore these required programs back servicing users. Although a lot of work still had to be done to recover completely from the Ryuk attack, the most important systems were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we did not miss any customer deliverables."

During the following month important milestones in the recovery project were made in close collaboration between Progent consultants and the customer:

  • Internal web sites were brought back up without losing any data.
  • The MailStore Server exceeding 4 million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables/Inventory Control functions were fully restored.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Nearly all of the user PCs were operational.

"So much of what transpired those first few days is nearly entirely a haze for me, but we will not forget the commitment each of the team put in to give us our business back. I've been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A potential business extinction disaster was dodged with hard-working experts, a wide range of knowledge, and tight teamwork. Although in hindsight the ransomware penetration described here should have been identified and prevented with current security technology and security best practices, user training, and well designed security procedures for information protection and proper patching controls, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has extensive experience in ransomware virus defense, removal, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), thank you for making it so I could get rested after we made it through the initial push. All of you did an incredible effort, and if any of your team is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Anaheim a variety of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include next-generation AI capability to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools packaged within a single agent managed from a single control. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you demonstrate compliance with legal and industry information protection standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also assist you to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services, a portfolio of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and enable transparent backup and fast restoration of important files/folders, applications, images, and virtual machines. ProSight DPS lets your business recover from data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or software glitches. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top information security companies to deliver centralized control and world-class protection for your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with a local security gateway appliance to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a further level of inspection for inbound email. For outgoing email, the local gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, track, enhance and troubleshoot their connectivity hardware like switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, copies and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, locating appliances that require important updates, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network operating at peak levels by checking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved easily to an alternate hardware solution without a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can save up to half of time spent looking for vital information about your network. ProSight IT Asset Management includes a common location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior machine learning technology to guard endpoint devices as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely evade traditional signature-matching AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to manage the complete threat progression including filtering, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Call Center services enable your information technology staff to outsource Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house support team and Progent's nationwide roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent supplement to your corporate IT support staff. User interaction with the Service Desk, provision of support services, escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether incidents are resolved by your in-house network support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT network. Besides optimizing the protection and functionality of your IT network, Progent's patch management services allow your IT staff to concentrate on line-of-business projects and tasks that derive maximum business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation with iOS, Android, and other out-of-band devices. Using 2FA, when you log into a secured online account and give your password you are asked to confirm who you are on a device that only you have and that is accessed using a separate network channel. A wide selection of devices can be utilized as this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register several validation devices. To find out more about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth management reporting tools created to work with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-through or machines with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24-7 Anaheim CryptoLocker Remediation Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.