Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that poses an existential threat for businesses poorly prepared for an attack. Different versions of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for years and still inflict damage. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more unnamed malware, not only encrypt online files but also infect many available system restores and backups. Data replicated to cloud environments can also be encrypted. In a vulnerable data protection solution, it can make automated recovery hopeless and effectively knocks the network back to zero.

Restoring applications and data following a crypto-ransomware outage becomes a race against the clock as the victim struggles to stop the spread, cleanup the virus, and resume business-critical operations. Because ransomware requires time to move laterally, penetrations are usually sprung during nights and weekends, when penetrations typically take more time to uncover. This compounds the difficulty of quickly mobilizing and coordinating a knowledgeable mitigation team.

Progent offers a range of services for protecting organizations from ransomware penetrations. These include team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of the latest generation security solutions with AI capabilities from SentinelOne to discover and disable day-zero cyber threats automatically. Progent also offers the assistance of seasoned crypto-ransomware recovery professionals with the talent and commitment to restore a compromised system as urgently as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to decipher any or all of your files. Kaspersky estimated that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The other path is to setup from scratch the key parts of your Information Technology environment. Without the availability of complete information backups, this requires a broad complement of skill sets, professional project management, and the ability to work continuously until the job is finished.

For decades, Progent has provided professional IT services for businesses throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the capability to efficiently identify critical systems and re-organize the remaining parts of your computer network environment following a ransomware penetration and configure them into an operational system.

Progent's ransomware team of experts utilizes best of breed project management tools to orchestrate the complex restoration process. Progent understands the importance of acting rapidly and in concert with a client's management and IT staff to prioritize tasks and to put critical services back on-line as soon as humanly possible.

Case Study: A Successful Ransomware Incident Restoration
A customer escalated to Progent after their organization was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, possibly using algorithms leaked from America's National Security Agency. Ryuk seeks specific organizations with limited tolerance for disruption and is among the most lucrative versions of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with around 500 workers. The Ryuk penetration had frozen all essential operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the start of the intrusion and were eventually encrypted. The client was evaluating paying the ransom (exceeding $200K) and hoping for good luck, but ultimately called Progent.


"I cannot speak enough about the help Progent gave us throughout the most stressful period of (our) company's survival. We may have had to pay the criminal gangs except for the confidence the Progent team provided us. The fact that you were able to get our e-mail and important applications back on-line in less than one week was amazing. Every single staff member I interacted with or communicated with at Progent was laser focused on getting us restored and was working day and night to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the essential elements that had to be restored in order to resume departmental functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Financials/MRP
To begin, Progent adhered to Anti-virus incident response industry best practices by halting lateral movement and clearing infected systems. Progent then started the task of restoring Microsoft Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the customer's financials and MRP software leveraged Microsoft SQL Server, which needs Active Directory services for security authorization to the databases.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery of critical applications. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Offline Data Files) on team workstations and laptops to recover mail information. A recent off-line backup of the businesses financials/MRP software made them able to restore these required services back available to users. Although a large amount of work remained to recover completely from the Ryuk event, the most important systems were restored quickly:


"For the most part, the production operation survived unscathed and we delivered all customer sales."

Throughout the following few weeks critical milestones in the restoration project were made in tight cooperation between Progent engineers and the customer:

  • Internal web sites were restored without losing any data.
  • The MailStore Server exceeding four million historical emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory functions were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the user workstations were functioning as before the incident.

"A huge amount of what happened that first week is mostly a haze for me, but our team will not forget the countless hours each of your team put in to help get our business back. I have trusted Progent for at least 10 years, maybe more, and each time Progent has shined and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business catastrophe was evaded due to dedicated professionals, a broad array of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus attack detailed here could have been stopped with up-to-date cyber security solutions and security best practices, team education, and well thought out incident response procedures for data backup and proper patching controls, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for letting me get some sleep after we made it through the first week. All of you did an amazing job, and if any of your team is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Anaheim a range of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services incorporate next-generation machine learning technology to detect new strains of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to automate the complete malware attack progression including blocking, identification, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools packaged within a single agent managed from a unified console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP deployment that meets your company's unique requirements and that allows you prove compliance with legal and industry information security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also help your company to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a selection of management offerings that deliver backup-as-a-service. ProSight DPS products manage and track your backup operations and allow transparent backup and fast restoration of critical files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by equipment failures, natural disasters, fire, malware like ransomware, human error, ill-intentioned employees, or application glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver centralized control and world-class protection for your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with a local gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further layer of inspection for inbound email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, optimize and troubleshoot their networking appliances such as routers, firewalls, and access points plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration information of almost all devices on your network, tracks performance, and generates notices when issues are discovered. By automating tedious management processes, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding appliances that need critical software patches, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your network operating efficiently by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT staff and your Progent engineering consultant so that any potential issues can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and protect data about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT documentation, you can eliminate as much as half of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based machine learning tools to guard endpoints and servers and VMs against new malware attacks such as ransomware and email phishing, which routinely get by legacy signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a single platform to manage the entire threat lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Desk: Call Center Managed Services
    Progent's Support Desk services enable your IT group to offload Call Center services to Progent or split activity for support services transparently between your in-house support resources and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless extension of your core IT support team. User interaction with the Help Desk, delivery of support, issue escalation, ticket creation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether issues are taken care of by your corporate network support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide organizations of any size a versatile and cost-effective solution for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. In addition to maximizing the security and functionality of your computer network, Progent's software/firmware update management services free up time for your in-house IT team to focus on line-of-business initiatives and activities that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports one-tap identity verification on iOS, Android, and other personal devices. With Duo 2FA, when you sign into a secured online account and enter your password you are asked to verify your identity via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be used as this added means of ID validation including a smartphone or watch, a hardware token, a landline phone, etc. You may register multiple validation devices. To find out more about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time management reporting utilities designed to work with the leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Anaheim 24-Hour Ransomware Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.