Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that poses an extinction-level danger for businesses poorly prepared for an assault. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with additional unnamed viruses, not only encrypt on-line files but also infect many accessible system restores and backups. Data synched to the cloud can also be corrupted. In a vulnerable environment, this can make automatic recovery impossible and effectively sets the datacenter back to square one.

Getting back services and data following a ransomware outage becomes a sprint against time as the targeted business struggles to contain, eradicate the virus, and restore business-critical activity. Since ransomware needs time to spread, penetrations are frequently launched on weekends, when successful penetrations are likely to take more time to recognize. This compounds the difficulty of promptly assembling and orchestrating a knowledgeable response team.

Progent has a range of services for securing businesses from crypto-ransomware attacks. Among these are team training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of the latest generation security appliances with machine learning capabilities from SentinelOne to discover and suppress day-zero cyber attacks intelligently. Progent also can provide the assistance of expert ransomware recovery professionals with the track record and commitment to restore a compromised network as soon as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that distant criminals will respond with the codes to unencrypt any of your files. Kaspersky determined that 17% of ransomware victims never restored their information after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms are often several hundred thousand dollars. For larger organizations, the ransom demand can be in the millions of dollars. The fallback is to piece back together the vital parts of your IT environment. Without access to complete data backups, this calls for a broad range of IT skills, top notch team management, and the capability to work continuously until the task is finished.

For twenty years, Progent has made available expert Information Technology services for businesses across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience provides Progent the ability to rapidly identify critical systems and consolidate the remaining pieces of your network system following a ransomware attack and rebuild them into a functioning system.

Progent's security group deploys best of breed project management applications to coordinate the complicated restoration process. Progent understands the importance of working quickly and in unison with a client's management and Information Technology resources to assign priority to tasks and to put the most important services back on-line as fast as possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A small business escalated to Progent after their network was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, suspected of using technology exposed from America's NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is one of the most profitable examples of crypto-ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business located in the Chicago metro area with around 500 staff members. The Ryuk penetration had frozen all company operations and manufacturing capabilities. Most of the client's data backups had been on-line at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for the best, but ultimately brought in Progent.


"I cannot tell you enough about the care Progent gave us throughout the most fearful time of (our) company's existence. We had little choice but to pay the criminal gangs if it wasn't for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and production applications back online quicker than one week was incredible. Each person I spoke to or communicated with at Progent was totally committed on getting us back on-line and was working all day and night to bail us out."

Progent worked hand in hand the client to rapidly get our arms around and assign priority to the most important elements that had to be recovered in order to restart company functions:

  • Microsoft Active Directory
  • Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes penetration response best practices by stopping lateral movement and performing virus removal steps. Progent then initiated the work of rebuilding Windows Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the client's accounting and MRP software leveraged SQL Server, which needs Active Directory services for authentication to the data.

In less than 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then assisted with reinstallations and hard drive recovery on critical applications. All Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Off-Line Data Files) on various desktop computers in order to recover email data. A recent offline backup of the businesses accounting systems made it possible to restore these required programs back online. Although a lot of work needed to be completed to recover completely from the Ryuk virus, core systems were restored quickly:


"For the most part, the production line operation survived unscathed and we made all customer shipments."

Throughout the next few weeks critical milestones in the restoration project were completed through tight collaboration between Progent engineers and the customer:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Exchange Server with over 4 million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully functional.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the user desktops were functioning as before the incident.

"A huge amount of what was accomplished in the initial days is nearly entirely a fog for me, but our team will not soon forget the urgency each of the team put in to help get our company back. I have utilized Progent for the past 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A potential enterprise-killing catastrophe was averted with hard-working experts, a broad range of IT skills, and tight teamwork. Although upon completion of forensics the ransomware incident detailed here could have been identified and stopped with up-to-date cyber security technology and recognized best practices, user education, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware penetration, remember that Progent's team of experts has proven experience in crypto-ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were helping), I'm grateful for making it so I could get some sleep after we made it past the initial push. Everyone did an impressive job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Atlanta a range of remote monitoring and security evaluation services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence technology to uncover new variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your network running efficiently by tracking the state of critical computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT management personnel and your Progent consultant so that all potential problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Desktops
    ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based solution for monitoring and managing your client-server infrastructure by providing tools for streamlining common time-consuming jobs. These include health monitoring, update management, automated remediation, endpoint configuration, backup and restore, anti-virus response, remote access, standard and custom scripts, resource inventory, endpoint profile reporting, and debugging help. If ProSight LAN Watch with NinjaOne RMM identifies a serious issue, it sends an alert to your specified IT staff and your assigned Progent technical consultant so potential problems can be taken care of before they impact your network. Learn more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, reconfigure and debug their connectivity hardware like routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and manages the configuration of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that need important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time and in-depth reporting plug-ins created to integrate with the industry's top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore software companies to create ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your backup operations and enable non-disruptive backup and rapid recovery of critical files, applications, system images, plus virtual machines. ProSight DPS lets you recover from data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or software glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading information security vendors to provide web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email that stays inside your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication. Duo supports single-tap identity confirmation on iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a secured online account and enter your password you are asked to verify your identity via a unit that only you possess and that is accessed using a separate network channel. A wide range of devices can be used for this added form of ID validation including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may register multiple validation devices. For details about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services for access security.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Support Center managed services allow your information technology team to outsource Support Desk services to Progent or split responsibilities for support services transparently between your in-house network support group and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a transparent supplement to your in-house support team. End user interaction with the Service Desk, delivery of support, escalation, trouble ticket generation and updates, performance measurement, and management of the service database are consistent whether issues are taken care of by your corporate IT support staff, by Progent, or by a combination. Read more about Progent's outsourced/shared Help Desk services.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to defend endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to address the entire malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and protect data related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can eliminate as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT data. Whether you're making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of any size a versatile and cost-effective solution for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. Besides maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services permit your IT staff to focus on more strategic projects and tasks that derive the highest business value from your network. Read more about Progent's patch management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud resources and offers a single platform to automate the entire malware attack lifecycle including protection, detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with government and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require immediate attention. Progent can also assist you to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.
For Atlanta 24/7/365 Crypto-Ransomware Removal Help, call Progent at 800-462-8800 or go to Contact Progent.