Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that represents an existential danger for businesses poorly prepared for an assault. Multiple generations of crypto-ransomware like the Reveton, WannaCry, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as additional unnamed viruses, not only do encryption of on-line data files but also infect many accessible system restores and backups. Information replicated to cloud environments can also be ransomed. In a vulnerable data protection solution, it can render automated restoration useless and basically sets the network back to zero.

Getting back applications and information after a crypto-ransomware outage becomes a sprint against time as the targeted business fights to contain the damage and eradicate the ransomware and to resume enterprise-critical operations. Since crypto-ransomware requires time to replicate, assaults are frequently launched on weekends and holidays, when penetrations are likely to take more time to identify. This compounds the difficulty of quickly marshalling and coordinating an experienced response team.

Progent offers an assortment of services for protecting enterprises from ransomware attacks. Among these are user education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with machine learning technology from SentinelOne to identify and quarantine zero-day cyber attacks automatically. Progent also offers the services of experienced ransomware recovery consultants with the track record and commitment to re-deploy a compromised network as soon as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware attack, paying the ransom in cryptocurrency does not ensure that distant criminals will provide the needed keys to unencrypt any of your files. Kaspersky ascertained that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to re-install the vital elements of your IT environment. Without access to essential system backups, this requires a wide range of skills, professional team management, and the ability to work 24x7 until the task is over.

For two decades, Progent has offered professional IT services for companies in Arlington and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently ascertain important systems and re-organize the surviving components of your network environment following a ransomware penetration and assemble them into a functioning system.

Progent's recovery group deploys top notch project management tools to orchestrate the sophisticated restoration process. Progent understands the urgency of working swiftly and together with a customer's management and IT team members to assign priority to tasks and to put key systems back on-line as fast as humanly possible.

Client Story: A Successful Ransomware Incident Restoration
A small business escalated to Progent after their network was crashed by Ryuk ransomware virus. Ryuk is thought to have been created by North Korean state sponsored hackers, possibly adopting technology exposed from the U.S. NSA organization. Ryuk targets specific businesses with little room for disruption and is among the most lucrative examples of ransomware malware. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing company located in the Chicago metro area with around 500 workers. The Ryuk attack had shut down all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and wishfully thinking for good luck, but in the end brought in Progent.


"I can't speak enough in regards to the expertise Progent gave us during the most critical period of (our) businesses existence. We most likely would have paid the hackers behind this attack except for the confidence the Progent experts gave us. The fact that you could get our e-mail system and essential applications back in less than seven days was something I thought impossible. Each consultant I talked with or texted at Progent was totally committed on getting us back online and was working day and night to bail us out."

Progent worked with the customer to rapidly determine and prioritize the essential services that had to be addressed to make it possible to restart business operations:

  • Active Directory
  • Microsoft Exchange
  • MRP System
To get going, Progent followed ransomware penetration mitigation best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the steps of recovering Microsoft AD, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the customer's accounting and MRP applications utilized SQL Server, which requires Active Directory for access to the information.

Within 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then initiated setup and storage recovery of essential systems. All Exchange data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate intact OST files (Outlook Email Offline Folder Files) on user PCs and laptops in order to recover mail information. A not too old offline backup of the client's accounting/MRP systems made it possible to recover these vital applications back servicing users. Although a lot of work still had to be done to recover fully from the Ryuk damage, core systems were restored quickly:


"For the most part, the production line operation survived unscathed and we did not miss any customer deliverables."

During the next month key milestones in the restoration process were accomplished through tight collaboration between Progent consultants and the customer:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Server exceeding 4 million historical emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the desktops and laptops were fully operational.

"A lot of what occurred during the initial response is nearly entirely a fog for me, but my team will not forget the care each and every one of the team accomplished to help get our company back. I have utilized Progent for the past 10 years, maybe more, and every time I needed help Progent has come through and delivered. This event was a life saver."

Conclusion
A possible business-killing disaster was averted by top-tier professionals, a wide array of IT skills, and tight collaboration. Although in post mortem the crypto-ransomware attack described here could have been shut down with up-to-date security technology and NIST Cybersecurity Framework best practices, user and IT administrator training, and well thought out security procedures for data backup and applying software patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for allowing me to get rested after we made it over the most critical parts. All of you did an amazing job, and if anyone that helped is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Arlington a portfolio of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize modern artificial intelligence capability to detect zero-day strains of crypto-ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and offers a unified platform to manage the entire threat progression including blocking, detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer security for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering through cutting-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP deployment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry information security regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alerts that require immediate action. Progent's consultants can also assist your company to install and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services, a family of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and track your data backup processes and allow transparent backup and fast restoration of vital files, apps, system images, plus VMs. ProSight DPS lets you protect against data loss caused by hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, malicious employees, or application glitches. Managed services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security companies to provide web-based management and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway device provides a further level of analysis for incoming email. For outgoing email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map, monitor, enhance and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating devices that need critical software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your IT system running at peak levels by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so that all looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can save as much as half of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based machine learning tools to guard endpoints and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a unified platform to automate the entire threat progression including blocking, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Center: Call Center Managed Services
    Progent's Call Center services permit your information technology team to outsource Call Center services to Progent or split responsibilities for Help Desk services transparently between your in-house network support team and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent supplement to your in-house IT support team. User interaction with the Help Desk, provision of technical assistance, escalation, trouble ticket creation and tracking, performance measurement, and management of the support database are cohesive whether incidents are taken care of by your corporate network support organization, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a flexible and cost-effective alternative for assessing, validating, scheduling, implementing, and tracking updates to your dynamic information network. Besides maximizing the security and functionality of your IT environment, Progent's patch management services allow your IT staff to concentrate on more strategic projects and tasks that derive maximum business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a secured application and give your password you are requested to verify who you are via a unit that only you have and that uses a separate network channel. A wide range of devices can be used for this added form of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You can designate several verification devices. To find out more about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time and in-depth reporting utilities designed to work with the industry's leading ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as inconsistent support follow-through or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Arlington 24-7 Crypto-Ransomware Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.