Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an enterprise-level threat for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware like the Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with frequent unnamed newcomers, not only do encryption of online critical data but also infiltrate all accessible system protection mechanisms. Information replicated to cloud environments can also be encrypted. In a vulnerable data protection solution, this can render automated recovery impossible and basically knocks the entire system back to square one.

Getting back online applications and data after a ransomware attack becomes a sprint against the clock as the victim tries its best to stop the spread and cleanup the ransomware and to restore enterprise-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are frequently sprung at night, when successful penetrations in many cases take longer to recognize. This multiplies the difficulty of rapidly marshalling and orchestrating a capable response team.

Progent makes available an assortment of services for protecting businesses from crypto-ransomware attacks. These include team education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security solutions with AI capabilities from SentinelOne to identify and quarantine zero-day cyber attacks intelligently. Progent also offers the services of veteran crypto-ransomware recovery consultants with the talent and commitment to re-deploy a breached environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that distant criminals will respond with the keys to unencrypt any or all of your information. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the key parts of your Information Technology environment. Without access to essential information backups, this requires a wide range of IT skills, top notch team management, and the ability to work 24x7 until the job is over.

For two decades, Progent has provided expert Information Technology services for businesses in Baltimore and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience provides Progent the capability to knowledgably understand necessary systems and integrate the remaining parts of your IT system following a ransomware event and rebuild them into an operational network.

Progent's security group uses top notch project management systems to orchestrate the sophisticated recovery process. Progent understands the importance of acting swiftly and together with a customer�s management and Information Technology staff to prioritize tasks and to put critical systems back on line as fast as possible.

Client Story: A Successful Ransomware Intrusion Restoration
A business sought out Progent after their organization was penetrated by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean state cybercriminals, suspected of adopting technology exposed from America�s National Security Agency. Ryuk targets specific organizations with little tolerance for disruption and is among the most profitable iterations of ransomware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in Chicago with about 500 staff members. The Ryuk event had shut down all essential operations and manufacturing capabilities. The majority of the client's data backups had been directly accessible at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom (more than $200K) and praying for the best, but ultimately made the decision to use Progent.


"I can�t thank you enough in regards to the help Progent provided us throughout the most stressful time of (our) businesses survival. We would have paid the Hackers if not for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and important servers back online quicker than five days was earth shattering. Each person I interacted with or texted at Progent was totally committed on getting us operational and was working breakneck pace to bail us out."

Progent worked together with the client to quickly identify and prioritize the most important elements that needed to be addressed to make it possible to continue business operations:

  • Active Directory
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent followed Anti-virus event response industry best practices by stopping the spread and cleaning up infected systems. Progent then began the steps of recovering Active Directory, the heart of enterprise networks built upon Microsoft technology. Exchange email will not operate without Active Directory, and the client's MRP applications utilized Microsoft SQL, which requires Active Directory services for security authorization to the data.

Within two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then performed reinstallations and hard drive recovery on needed servers. All Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to locate intact OST data files (Outlook Email Offline Folder Files) on various PCs and laptops to recover mail data. A not too old offline backup of the businesses accounting/MRP software made them able to return these required programs back available to users. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, essential systems were restored rapidly:


"For the most part, the production line operation ran fairly normal throughout and we did not miss any customer deliverables."

During the following few weeks important milestones in the recovery process were achieved through tight cooperation between Progent team members and the customer:

  • Internal web applications were restored with no loss of data.
  • The MailStore Server exceeding 4 million historical messages was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were fully operational.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user desktops and notebooks were back into operation.

"A huge amount of what transpired those first few days is nearly entirely a fog for me, but our team will not soon forget the urgency all of the team put in to help get our company back. I have been working with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A possible company-ending disaster was evaded through the efforts of dedicated experts, a broad spectrum of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack detailed here should have been identified and prevented with modern security technology and NIST Cybersecurity Framework best practices, staff education, and appropriate incident response procedures for data backup and proper patching controls, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), I�m grateful for allowing me to get rested after we made it through the initial fire. All of you did an impressive job, and if any of your team is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Baltimore a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services incorporate modern artificial intelligence technology to uncover new strains of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily evade legacy signature-based anti-virus products. ProSight ASM safeguards on-premises and cloud resources and provides a single platform to address the complete malware attack lifecycle including filtering, detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services offer affordable multi-layer security for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering through leading-edge tools incorporated within a single agent managed from a single console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable non-disruptive backup and rapid restoration of vital files/folders, apps, system images, and virtual machines. ProSight DPS lets your business recover from data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight Data Protection Services product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to provide centralized management and world-class protection for your email traffic. The powerful structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to provide complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to external attacks and saves system bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of inspection for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email traffic that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, monitor, optimize and debug their connectivity appliances like routers and switches, firewalls, and access points as well as servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating tedious network management activities, WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, locating appliances that need critical updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) technology to help keep your network operating at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT management personnel and your Progent consultant so that all potential problems can be addressed before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved immediately to a different hardware solution without a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information related to your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and managing your network documentation, you can eliminate up to half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youre making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior analysis tools to guard endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services protect local and cloud-based resources and offers a single platform to automate the entire threat lifecycle including protection, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Call Desk services allow your IT team to outsource Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal support staff and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent supplement to your corporate IT support organization. End user interaction with the Help Desk, provision of support, issue escalation, ticket generation and tracking, efficiency measurement, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your core network support resources, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT network. Besides optimizing the security and reliability of your IT network, Progent's software/firmware update management services permit your in-house IT team to concentrate on line-of-business initiatives and activities that deliver maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against password theft through the use of two-factor authentication. Duo supports one-tap identity verification with iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected online account and enter your password you are requested to verify your identity on a unit that only you have and that uses a different ("out-of-band") network channel. A broad selection of devices can be used for this second means of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You can register multiple validation devices. For more information about Duo identity validation services, refer to Duo MFA two-factor authentication services for access security.
For 24/7 Baltimore CryptoLocker Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.