Ransomware : Your Worst IT Disaster
Ransomware  Remediation ExpertsRansomware has become a too-frequent cyberplague that represents an existential danger for businesses poorly prepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. Modern strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as frequent unnamed newcomers, not only do encryption of online files but also infiltrate many accessible system backup. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can render any restoration hopeless and basically sets the datacenter back to zero.

Retrieving applications and data following a crypto-ransomware outage becomes a race against the clock as the victim struggles to stop lateral movement and remove the virus and to resume enterprise-critical operations. Due to the fact that ransomware takes time to spread, attacks are often launched during weekends and nights, when penetrations may take more time to notice. This multiplies the difficulty of promptly mobilizing and coordinating a capable mitigation team.

Progent has a range of solutions for protecting businesses from ransomware events. Among these are team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security gateways with machine learning technology from SentinelOne to discover and quarantine zero-day threats automatically. Progent in addition provides the services of veteran ransomware recovery consultants with the track record and perseverance to re-deploy a breached network as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the keys to decrypt any of your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the key parts of your IT environment. Absent the availability of complete data backups, this calls for a wide range of skill sets, top notch team management, and the capability to work 24x7 until the task is complete.

For decades, Progent has provided professional IT services for businesses in Anaheim and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience provides Progent the capability to rapidly identify necessary systems and re-organize the remaining components of your network system after a ransomware attack and assemble them into an operational system.

Progent's security team of experts deploys powerful project management applications to orchestrate the sophisticated restoration process. Progent understands the importance of working rapidly and together with a client's management and Information Technology resources to assign priority to tasks and to get the most important systems back online as soon as humanly possible.

Client Story: A Successful Ransomware Incident Response
A customer engaged Progent after their network was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the United States NSA organization. Ryuk attacks specific organizations with little or no ability to sustain operational disruption and is one of the most lucrative examples of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area with about 500 workers. The Ryuk event had disabled all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the start of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding $200,000) and praying for the best, but in the end engaged Progent.


"I cannot thank you enough about the care Progent provided us throughout the most fearful time of (our) businesses survival. We would have paid the criminal gangs if it wasn�t for the confidence the Progent experts provided us. That you could get our messaging and critical servers back into operation sooner than one week was beyond my wildest dreams. Each expert I spoke to or communicated with at Progent was amazingly focused on getting my company operational and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly identify and prioritize the critical systems that had to be recovered to make it possible to restart business functions:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware event response industry best practices by stopping the spread and removing active viruses. Progent then began the task of bringing back online Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows Server technology. Exchange email will not work without AD, and the customer�s financials and MRP system used SQL Server, which needs Active Directory for authentication to the data.

Within 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then accomplished setup and hard drive recovery on essential systems. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to locate non-encrypted OST data files (Microsoft Outlook Offline Data Files) on user PCs and laptops to recover email information. A not too old off-line backup of the customer�s accounting/MRP software made them able to return these essential applications back online. Although a large amount of work needed to be completed to recover completely from the Ryuk event, critical systems were returned to operations quickly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer sales."

Throughout the next month important milestones in the restoration project were made in tight collaboration between Progent consultants and the customer:

  • Internal web sites were brought back up with no loss of information.
  • The MailStore Exchange Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory modules were 100 percent restored.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Ninety percent of the desktops and laptops were being used by staff.

"So much of what went on in the early hours is nearly entirely a haze for me, but my team will not soon forget the urgency each of your team put in to give us our business back. I�ve been working with Progent for the past 10 years, possibly more, and each time Progent has impressed me and delivered. This time was a testament to your capabilities."

Conclusion
A likely business disaster was dodged due to hard-working professionals, a broad spectrum of IT skills, and close collaboration. Although in retrospect the ransomware incident described here should have been disabled with modern cyber security solutions and recognized best practices, staff education, and well designed security procedures for data backup and applying software patches, the reality remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I�m grateful for letting me get some sleep after we made it past the initial fire. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Anaheim a portfolio of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation AI capability to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the complete malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through leading-edge technologies incorporated within one agent accessible from a single console. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your organization's unique requirements and that allows you prove compliance with government and industry information security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent's consultants can also assist you to set up and verify a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and enable transparent backup and fast restoration of vital files/folders, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, human error, malicious insiders, or application bugs. Managed services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to deliver web-based control and comprehensive security for all your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide advanced protection against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of analysis for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to diagram, track, reconfigure and troubleshoot their networking hardware like routers, firewalls, and load balancers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and manages the configuration of almost all devices on your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding appliances that need critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by tracking the state of vital assets that drive your information system. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that any looming issues can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or warranties. By updating and organizing your network documentation, you can eliminate up to 50% of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether youre planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior machine learning tools to defend endpoints and physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily evade traditional signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to manage the complete threat progression including protection, detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Call Center managed services enable your information technology staff to outsource Call Center services to Progent or divide responsibilities for support services transparently between your internal support team and Progent's nationwide roster of IT service engineers and subject matter experts (SBEs). Progent's Co-managed Service Desk offers a seamless extension of your corporate IT support team. User interaction with the Service Desk, delivery of technical assistance, issue escalation, trouble ticket generation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether issues are resolved by your internal network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a flexible and affordable alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the protection and reliability of your IT network, Progent's software/firmware update management services permit your in-house IT team to focus on more strategic projects and activities that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on iOS, Google Android, and other personal devices. With 2FA, whenever you log into a protected online account and enter your password you are requested to confirm your identity on a device that only you have and that uses a separate network channel. A wide range of out-of-band devices can be utilized for this added means of authentication including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You can designate several verification devices. To learn more about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Anaheim 24-Hour Ransomware Repair Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.