Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that poses an extinction-level threat for organizations poorly prepared for an assault. Versions of crypto-ransomware like the Dharma, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still inflict harm. Recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus additional unnamed malware, not only do encryption of on-line data files but also infect many accessible system restores and backups. Data synched to off-site disaster recovery sites can also be ransomed. In a vulnerable environment, this can make automatic recovery useless and basically knocks the datacenter back to square one.

Retrieving applications and data following a ransomware event becomes a race against time as the targeted business fights to contain and remove the ransomware and to resume mission-critical activity. Due to the fact that ransomware requires time to move laterally, attacks are frequently launched at night, when successful penetrations tend to take more time to uncover. This compounds the difficulty of promptly assembling and orchestrating an experienced mitigation team.

Progent provides an assortment of services for securing organizations from crypto-ransomware penetrations. Among these are team member education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security solutions with AI capabilities from SentinelOne to detect and disable new cyber attacks intelligently. Progent also can provide the assistance of expert crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a breached system as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the mission-critical components of your Information Technology environment. Absent the availability of essential information backups, this calls for a wide range of IT skills, top notch project management, and the ability to work non-stop until the recovery project is completed.

For twenty years, Progent has offered expert Information Technology services for businesses in Atlanta and throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have been awarded high-level industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise provides Progent the skills to knowledgably ascertain critical systems and integrate the remaining parts of your network system after a crypto-ransomware penetration and configure them into a functioning system.

Progent's security team has top notch project management systems to orchestrate the complex restoration process. Progent appreciates the importance of working quickly and in unison with a customer's management and Information Technology resources to prioritize tasks and to put key services back online as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A client escalated to Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, suspected of using technology leaked from America's NSA organization. Ryuk seeks specific organizations with little or no ability to sustain disruption and is one of the most profitable incarnations of ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago and has around 500 employees. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the beginning of the attack and were damaged. The client considered paying the ransom (more than $200K) and hoping for the best, but in the end utilized Progent.


"I can't say enough about the support Progent gave us during the most critical time of (our) company's survival. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail and key applications back online in less than a week was amazing. Each staff member I worked with or messaged at Progent was hell bent on getting us restored and was working at all hours to bail us out."

Progent worked with the customer to quickly understand and assign priority to the essential elements that had to be recovered to make it possible to resume departmental functions:

  • Active Directory
  • Electronic Mail
  • MRP System
To start, Progent adhered to Anti-virus event mitigation industry best practices by isolating and cleaning up infected systems. Progent then started the process of recovering Microsoft Active Directory, the heart of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the customer's MRP system used SQL Server, which needs Active Directory services for authentication to the database.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-intrusion state. Progent then completed setup and hard drive recovery of the most important servers. All Exchange data and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble local OST data files (Outlook Offline Data Files) on team workstations and laptops in order to recover email messages. A not too old offline backup of the businesses financials/MRP software made it possible to recover these vital programs back on-line. Although a large amount of work remained to recover completely from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the manufacturing operation did not miss a beat and we made all customer shipments."

Over the following month key milestones in the restoration project were accomplished in tight collaboration between Progent consultants and the client:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million historical messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory functions were 100% operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Most of the user desktops were being used by staff.

"Much of what went on in the early hours is nearly entirely a haze for me, but my team will not forget the countless hours each and every one of your team put in to help get our business back. I've utilized Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered. This situation was a Herculean accomplishment."

Conclusion
A possible business extinction catastrophe was evaded with hard-working experts, a wide range of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus attack described here should have been prevented with modern security technology solutions and best practices, user and IT administrator training, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), thank you for letting me get some sleep after we made it through the initial fire. Everyone did an amazing job, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Atlanta a variety of remote monitoring and security evaluation services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate modern machine learning capability to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the complete malware attack lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools packaged within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you prove compliance with legal and industry data protection standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent's consultants can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup technology companies to produce ProSight Data Protection Services (DPS), a family of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and rapid restoration of critical files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by hardware breakdown, natural disasters, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of top information security companies to deliver centralized management and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines cloud-based filtering with a local security gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your exposure to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, monitor, reconfigure and debug their connectivity hardware like routers and switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept current, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when problems are discovered. By automating complex management processes, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require important updates, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes next generation behavior analysis technology to guard endpoints and servers and VMs against modern malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Desk: Call Center Managed Services
    Progent's Support Desk managed services enable your information technology team to offload Help Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house network support staff and Progent's nationwide roster of IT support engineers and subject matter experts. Progent's Co-managed Service Desk offers a seamless extension of your corporate support staff. User interaction with the Service Desk, provision of support services, escalation, ticket generation and updates, performance metrics, and management of the service database are consistent regardless of whether issues are resolved by your in-house network support staff, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and documenting updates to your dynamic IT network. Besides maximizing the security and reliability of your IT network, Progent's patch management services permit your IT staff to concentrate on more strategic projects and activities that deliver the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. With 2FA, when you log into a protected online account and give your password you are asked to confirm who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of devices can be used as this added means of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You can register multiple validation devices. For more information about ProSight Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time and in-depth management reporting tools created to integrate with the leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Atlanta 24-Hour CryptoLocker Repair Consultants, call Progent at 800-462-8800 or go to Contact Progent.