Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses poorly prepared for an attack. Versions of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still inflict harm. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, as well as daily unnamed malware, not only do encryption of on-line data files but also infiltrate most configured system restores and backups. Files synched to cloud environments can also be ransomed. In a vulnerable system, it can make any restoration useless and basically knocks the entire system back to zero.

Getting back on-line programs and data following a crypto-ransomware outage becomes a sprint against time as the targeted organization struggles to stop lateral movement, remove the ransomware, and restore business-critical operations. Since ransomware needs time to replicate, assaults are often sprung during nights and weekends, when attacks in many cases take more time to detect. This multiplies the difficulty of quickly assembling and organizing an experienced response team.

Progent makes available an assortment of services for securing organizations from ransomware events. Among these are staff training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with AI capabilities from SentinelOne to discover and disable new cyber threats quickly. Progent also provides the services of experienced crypto-ransomware recovery engineers with the track record and perseverance to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, paying the ransom demands in cryptocurrency does not provide any assurance that cyber hackers will provide the needed keys to decipher any of your information. Kaspersky ascertained that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The fallback is to piece back together the vital elements of your Information Technology environment. Without access to full system backups, this requires a broad range of skill sets, top notch project management, and the ability to work non-stop until the task is over.

For twenty years, Progent has made available expert Information Technology services for companies throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise affords Progent the ability to quickly ascertain important systems and organize the remaining pieces of your network system following a ransomware attack and configure them into an operational system.

Progent's ransomware team of experts uses best of breed project management applications to orchestrate the complicated restoration process. Progent knows the urgency of acting quickly and in unison with a client's management and IT resources to prioritize tasks and to get the most important systems back on-line as fast as possible.

Case Study: A Successful Ransomware Penetration Recovery
A business sought out Progent after their company was crashed by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state criminal gangs, suspected of adopting algorithms exposed from the U.S. NSA organization. Ryuk goes after specific companies with limited tolerance for disruption and is among the most profitable examples of ransomware viruses. Major victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer located in the Chicago metro area with around 500 staff members. The Ryuk penetration had brought down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the time of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately called Progent.


"I can't say enough in regards to the expertise Progent provided us during the most fearful time of (our) company's existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you could get our e-mail and key servers back faster than 1 week was something I thought impossible. Each person I got help from or texted at Progent was hell bent on getting us back on-line and was working breakneck pace to bail us out."

Progent worked together with the client to quickly determine and assign priority to the essential elements that needed to be restored in order to resume business operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • MRP System
To begin, Progent adhered to AV/Malware Processes penetration mitigation industry best practices by stopping lateral movement and disinfecting systems. Progent then began the process of rebuilding Windows Active Directory, the heart of enterprise environments built on Microsoft technology. Exchange messaging will not function without Active Directory, and the customer's financials and MRP applications used Microsoft SQL Server, which depends on Active Directory services for authentication to the information.

Within two days, Progent was able to recover Active Directory services to its pre-attack state. Progent then accomplished rebuilding and hard drive recovery on the most important systems. All Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to locate intact OST files (Outlook Email Off-Line Folder Files) on various workstations and laptops in order to recover mail information. A recent offline backup of the businesses financials/ERP systems made them able to return these essential services back available to users. Although major work was left to recover fully from the Ryuk damage, essential services were recovered rapidly:


"For the most part, the assembly line operation never missed a beat and we made all customer deliverables."

Over the following couple of weeks important milestones in the recovery project were made in close collaboration between Progent engineers and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was restored to operations and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were 100% restored.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the user PCs were being used by staff.

"A huge amount of what happened in the initial days is nearly entirely a haze for me, but I will not forget the urgency each and every one of the team put in to help get our company back. I've trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was the most impressive ever."

Conclusion
A potential business disaster was evaded by dedicated professionals, a wide array of IT skills, and close teamwork. Although in post mortem the ransomware virus incident described here should have been identified and prevented with modern security technology solutions and recognized best practices, user training, and well designed security procedures for backup and applying software patches, the fact is that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a crypto-ransomware penetration, remember that Progent's roster of experts has extensive experience in ransomware virus blocking, remediation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were contributing), thanks very much for allowing me to get some sleep after we got through the first week. All of you did an impressive effort, and if any of your team is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Arlington a variety of online monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include modern AI technology to detect new variants of crypto-ransomware that can get past traditional signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management staff and your assigned Progent consultant so any potential issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software offers a unified, cloud-based solution for monitoring and managing your network, server, and desktop devices by offering an environment for streamlining common time-consuming tasks. These can include health monitoring, patch management, automated remediation, endpoint setup, backup and restore, anti-virus response, secure remote access, built-in and custom scripts, asset inventory, endpoint status reports, and troubleshooting assistance. If ProSight LAN Watch with NinjaOne RMM uncovers a serious problem, it transmits an alarm to your specified IT management personnel and your Progent technical consultant so emerging problems can be fixed before they impact productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration information of almost all devices connected to your network, monitors performance, and sends notices when problems are discovered. By automating tedious management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, locating devices that need critical software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time management reporting tools designed to integrate with the top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or machines with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup technology companies to create ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup processes and allow non-disruptive backup and rapid restoration of vital files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or software glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to deliver centralized management and world-class protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer complete protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of inspection for inbound email. For outbound email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a secured application and give your password you are requested to confirm who you are via a device that only you have and that is accessed using a different network channel. A broad range of devices can be utilized as this second form of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate several verification devices. To find out more about Duo identity validation services, visit Duo MFA two-factor authentication (2FA) services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Help Desk services permit your IT team to offload Call Center services to Progent or divide responsibilities for Service Desk support transparently between your in-house network support team and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your core network support resources. User interaction with the Help Desk, delivery of technical assistance, issue escalation, trouble ticket creation and updates, efficiency measurement, and maintenance of the support database are consistent whether incidents are resolved by your core IT support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Service Center services.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior machine learning technology to guard endpoints and servers and VMs against new malware attacks such as ransomware and email phishing, which easily get by legacy signature-matching AV products. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to address the complete malware attack progression including filtering, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and affordable alternative for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic information network. Besides optimizing the security and functionality of your IT network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business projects and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to a different hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoints against modern malware assaults like ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a unified platform to automate the complete threat progression including protection, identification, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can assist you to plan and implement a ProSight ESP deployment that meets your organization's specific requirements and that allows you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent can also help you to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
For 24-7 Arlington Crypto-Ransomware Remediation Services, reach out to Progent at 800-462-8800 or go to Contact Progent.