Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses unprepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been running rampant for years and continue to inflict destruction. Recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional unnamed malware, not only do encryption of online critical data but also infiltrate many configured system backup. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed system, it can render automated restoration hopeless and basically knocks the network back to zero.

Restoring services and information following a crypto-ransomware outage becomes a sprint against time as the targeted organization struggles to contain and remove the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to replicate, penetrations are often launched on weekends and holidays, when successful penetrations tend to take more time to detect. This multiplies the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent makes available a range of services for securing enterprises from ransomware penetrations. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with AI capabilities from SentinelOne to detect and suppress day-zero threats automatically. Progent in addition can provide the services of seasoned ransomware recovery consultants with the track record and commitment to rebuild a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
Soon after a ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not guarantee that distant criminals will return the codes to unencrypt any of your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their files even after having paid the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to re-install the essential parts of your IT environment. Without the availability of essential data backups, this calls for a wide range of IT skills, well-coordinated project management, and the willingness to work continuously until the recovery project is finished.

For twenty years, Progent has offered certified expert IT services for companies in Anchorage and across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise with accounting and ERP application software. This breadth of experience gives Progent the capability to efficiently understand critical systems and integrate the surviving parts of your IT system after a ransomware attack and configure them into an operational network.

Progent's recovery team utilizes best of breed project management tools to orchestrate the sophisticated restoration process. Progent knows the importance of acting rapidly and in unison with a customer's management and Information Technology team members to prioritize tasks and to get critical applications back on line as soon as possible.

Client Story: A Successful Ransomware Penetration Response
A client escalated to Progent after their network was penetrated by the Ryuk crypto-ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored cybercriminals, possibly using approaches exposed from the U.S. National Security Agency. Ryuk attacks specific companies with little room for disruption and is one of the most lucrative iterations of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in Chicago and has around 500 staff members. The Ryuk event had paralyzed all essential operations and manufacturing processes. Most of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client was evaluating paying the ransom demand (exceeding $200K) and praying for good luck, but ultimately utilized Progent.


"I cannot thank you enough about the care Progent provided us during the most stressful time of (our) businesses survival. We most likely would have paid the cyber criminals if it wasn't for the confidence the Progent group provided us. That you were able to get our e-mail and critical servers back quicker than seven days was incredible. Each expert I worked with or texted at Progent was hell bent on getting us back online and was working at all hours to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the critical applications that had to be addressed in order to resume business operations:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To start, Progent followed ransomware incident mitigation best practices by isolating and removing active viruses. Progent then began the process of bringing back online Microsoft AD, the key technology of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the client's accounting and MRP applications utilized Microsoft SQL, which needs Windows AD for security authorization to the data.

Within 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then performed reinstallations and hard drive recovery on critical systems. All Exchange ties and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on user workstations and laptops to recover email messages. A recent off-line backup of the customer's manufacturing systems made it possible to restore these required services back available to users. Although major work still had to be done to recover completely from the Ryuk event, essential services were recovered rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer shipments."

During the next couple of weeks important milestones in the restoration process were achieved in tight collaboration between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were fully operational.
  • A new Palo Alto 850 firewall was installed.
  • Nearly all of the desktops and laptops were fully operational.

"So much of what went on those first few days is mostly a haze for me, but I will not soon forget the commitment each and every one of you put in to give us our business back. I've trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This time was no exception but maybe more Herculean."

Conclusion
A potential business-ending disaster was avoided through the efforts of results-oriented professionals, a broad range of knowledge, and tight teamwork. Although in retrospect the crypto-ransomware virus incident detailed here should have been stopped with modern security technology and security best practices, user education, and appropriate incident response procedures for information backup and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we made it through the most critical parts. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Anchorage a range of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern machine learning capability to uncover new variants of crypto-ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely get by legacy signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to automate the entire malware attack lifecycle including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge technologies packaged within a single agent accessible from a unified control. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your company's unique requirements and that allows you demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate action. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your backup processes and allow transparent backup and fast restoration of important files/folders, apps, system images, and VMs. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or software glitches. Managed services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of leading information security vendors to deliver centralized management and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway device provides a further level of analysis for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using cutting-edge RMM technology, WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when issues are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off ordinary tasks such as making network diagrams, expanding your network, locating appliances that require important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can save as much as 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior analysis tools to defend endpoints as well as physical and virtual servers against new malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching anti-virus tools. Progent ASM services protect local and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Center: Support Desk Managed Services
    Progent's Support Desk services allow your information technology group to outsource Call Center services to Progent or split responsibilities for support services transparently between your internal support resources and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth supplement to your internal network support resources. User interaction with the Help Desk, delivery of technical assistance, escalation, trouble ticket creation and updates, efficiency measurement, and management of the support database are consistent regardless of whether issues are taken care of by your corporate network support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide businesses of any size a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information system. Besides optimizing the security and functionality of your computer network, Progent's patch management services permit your IT team to focus on more strategic initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo supports one-tap identity confirmation with iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a secured application and give your password you are asked to verify your identity via a unit that only you have and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used as this second form of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate multiple validation devices. To find out more about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of in-depth reporting utilities designed to work with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Anchorage 24/7/365 Ransomware Recovery Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.