Ransomware : Your Worst IT Nightmare
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyberplague that represents an enterprise-level threat for organizations vulnerable to an assault. Versions of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to cause harm. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as more unnamed viruses, not only do encryption of online critical data but also infiltrate most accessible system protection. Information synched to the cloud can also be ransomed. In a poorly designed environment, it can make automated recovery useless and effectively knocks the network back to square one.

Getting back services and data after a ransomware event becomes a race against time as the targeted organization struggles to contain the damage, eradicate the ransomware, and restore enterprise-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are often sprung on weekends, when attacks in many cases take longer to discover. This compounds the difficulty of quickly mobilizing and organizing a capable response team.

Progent has a variety of help services for securing enterprises from ransomware attacks. These include team education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with artificial intelligence capabilities from SentinelOne to discover and quarantine new cyber attacks rapidly. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the skills and perseverance to re-deploy a compromised system as quickly as possible.

Progent's Crypto-Ransomware Restoration Help
Following a crypto-ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the keys to decrypt all your data. Kaspersky determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The other path is to re-install the essential components of your Information Technology environment. Without access to essential system backups, this requires a broad range of skills, well-coordinated team management, and the ability to work 24x7 until the job is finished.

For two decades, Progent has offered expert IT services for businesses throughout the US and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience provides Progent the capability to quickly understand necessary systems and organize the surviving pieces of your Information Technology environment after a ransomware event and assemble them into a functioning network.

Progent's recovery team has powerful project management applications to coordinate the complex restoration process. Progent knows the urgency of working swiftly and in concert with a client's management and IT resources to prioritize tasks and to get essential services back on line as fast as possible.

Case Study: A Successful Ransomware Attack Recovery
A business contacted Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean state hackers, suspected of adopting algorithms leaked from the U.S. NSA organization. Ryuk seeks specific businesses with little or no tolerance for disruption and is among the most lucrative incarnations of crypto-ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago and has around 500 employees. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom demand (more than $200,000) and hoping for the best, but in the end called Progent.


"I cannot tell you enough about the expertise Progent gave us throughout the most stressful period of (our) company's survival. We had little choice but to pay the criminal gangs if not for the confidence the Progent team gave us. The fact that you were able to get our messaging and production applications back faster than five days was incredible. Every single staff member I got help from or e-mailed at Progent was laser focused on getting us restored and was working 24 by 7 on our behalf."

Progent worked together with the client to rapidly assess and prioritize the essential services that needed to be addressed in order to restart company operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent followed ransomware event response industry best practices by halting the spread and clearing up compromised systems. Progent then initiated the task of recovering Microsoft AD, the foundation of enterprise environments built upon Microsoft Windows technology. Exchange email will not function without Windows AD, and the client's accounting and MRP system leveraged SQL Server, which requires Active Directory services for security authorization to the data.

In less than two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then accomplished rebuilding and storage recovery on needed systems. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Data Files) on user workstations to recover email information. A recent off-line backup of the businesses accounting systems made them able to restore these essential services back online. Although major work remained to recover completely from the Ryuk damage, essential services were returned to operations rapidly:


"For the most part, the assembly line operation showed little impact and we produced all customer shipments."

Throughout the following month important milestones in the restoration project were accomplished through close cooperation between Progent engineers and the customer:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Server containing more than four million historical emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were fully restored.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • 90% of the desktops and laptops were functioning as before the incident.

"A huge amount of what occurred in the initial days is nearly entirely a blur for me, but my management will not soon forget the care all of the team put in to give us our business back. I have been working with Progent for the past 10 years, possibly more, and every time Progent has come through and delivered as promised. This situation was a Herculean accomplishment."

Conclusion
A potential enterprise-killing disaster was averted due to dedicated experts, a wide spectrum of knowledge, and close collaboration. Although in hindsight the ransomware incident detailed here could have been identified and stopped with current cyber security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact is that government-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we got through the initial fire. All of you did an incredible effort, and if anyone that helped is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Baltimore a variety of online monitoring and security assessment services to help you to reduce your vulnerability to ransomware. These services incorporate next-generation machine learning capability to detect zero-day strains of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching AV products. ProSight ASM protects on-premises and cloud resources and offers a single platform to manage the entire malware attack lifecycle including blocking, detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering via leading-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist you to design and implement a ProSight ESP environment that addresses your organization's unique requirements and that allows you prove compliance with government and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also help you to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and track your backup processes and enable non-disruptive backup and fast restoration of critical files, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to provide centralized management and comprehensive security for your email traffic. The powerful architecture of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and keeps most unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and saves system bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of inspection for incoming email. For outgoing email, the local gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, optimize and debug their connectivity appliances like routers, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating complex network management activities, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that require critical software patches, or isolating performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the health of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management staff and your Progent consultant so any looming issues can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and protect data related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior machine learning technology to guard endpoints as well as physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus tools. Progent ASM services safeguard on-premises and cloud-based resources and offers a single platform to automate the complete threat lifecycle including filtering, identification, mitigation, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Desk: Call Center Managed Services
    Progent's Help Desk services enable your IT group to offload Help Desk services to Progent or split responsibilities for support services seamlessly between your internal support staff and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth extension of your internal IT support group. Client interaction with the Service Desk, delivery of support, issue escalation, trouble ticket generation and updates, efficiency metrics, and management of the support database are cohesive regardless of whether issues are resolved by your core support staff, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a flexible and affordable alternative for assessing, validating, scheduling, applying, and documenting updates to your ever-evolving IT network. In addition to maximizing the security and reliability of your computer network, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and activities that derive maximum business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification on iOS, Google Android, and other personal devices. With 2FA, when you log into a protected online account and give your password you are asked to confirm who you are via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of out-of-band devices can be used for this second means of ID validation including an iPhone or Android or watch, a hardware token, a landline phone, etc. You can designate several validation devices. To find out more about Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time reporting tools created to integrate with the industry's top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as inconsistent support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Baltimore 24x7x365 Crypto Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.