Ransomware : Your Crippling Information Technology Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become an escalating cyber pandemic that poses an enterprise-level danger for businesses of all sizes vulnerable to an attack. Different iterations of ransomware such as CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with additional as yet unnamed malware, not only do encryption of on-line files but also infect all available system restores and backups. Data synchronized to the cloud can also be ransomed. In a vulnerable system, this can make automated recovery useless and effectively knocks the network back to zero.

Getting back on-line programs and data after a ransomware outage becomes a race against the clock as the targeted organization fights to contain and clear the crypto-ransomware and to resume enterprise-critical activity. Since ransomware needs time to move laterally, assaults are frequently sprung during weekends and nights, when successful penetrations are likely to take more time to notice. This compounds the difficulty of promptly marshalling and coordinating a knowledgeable mitigation team.

Progent offers a range of services for securing organizations from ransomware penetrations. Among these are team training to become familiar with and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with AI technology from SentinelOne to detect and extinguish day-zero cyber attacks rapidly. Progent also offers the services of expert ransomware recovery engineers with the talent and perseverance to re-deploy a breached system as rapidly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a crypto-ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will provide the needed keys to decrypt all your data. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to setup from scratch the critical parts of your Information Technology environment. Absent the availability of full data backups, this calls for a broad range of skills, well-coordinated team management, and the willingness to work continuously until the job is completed.

For twenty years, Progent has provided certified expert Information Technology services for companies in Baltimore and across the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have attained advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of expertise gives Progent the skills to efficiently ascertain important systems and organize the surviving parts of your network system after a crypto-ransomware penetration and assemble them into a functioning system.

Progent's recovery team deploys state-of-the-art project management applications to orchestrate the complex recovery process. Progent appreciates the importance of working rapidly and together with a client's management and Information Technology team members to prioritize tasks and to get the most important services back on line as fast as humanly possible.

Case Study: A Successful Ransomware Attack Response
A client sought out Progent after their company was brought down by the Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored criminal gangs, suspected of adopting technology exposed from America's NSA organization. Ryuk seeks specific companies with limited ability to sustain operational disruption and is one of the most profitable versions of ransomware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the intrusion and were damaged. The client was taking steps for paying the ransom (more than $200,000) and wishfully thinking for good luck, but in the end called Progent.


"I cannot speak enough about the expertise Progent provided us throughout the most fearful time of (our) businesses life. We most likely would have paid the cyber criminals if not for the confidence the Progent team gave us. The fact that you could get our e-mail system and important applications back into operation sooner than a week was something I thought impossible. Each consultant I interacted with or communicated with at Progent was amazingly focused on getting us back online and was working day and night on our behalf."

Progent worked together with the customer to rapidly identify and assign priority to the mission critical systems that needed to be restored in order to restart company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent adhered to AV/Malware Processes incident response best practices by halting the spread and removing active viruses. Progent then began the task of rebuilding Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Exchange messaging will not operate without AD, and the businesses' accounting and MRP software utilized Microsoft SQL, which needs Windows AD for access to the database.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then initiated setup and hard drive recovery on key applications. All Exchange data and attributes were intact, which accelerated the restore of Exchange. Progent was able to locate intact OST data files (Outlook Email Off-Line Data Files) on team desktop computers and laptops to recover mail messages. A recent offline backup of the customer's accounting/MRP systems made it possible to restore these essential programs back available to users. Although a lot of work still had to be done to recover fully from the Ryuk event, core services were recovered rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we did not miss any customer deliverables."

Throughout the following month important milestones in the recovery process were achieved in close cooperation between Progent team members and the customer:

  • In-house web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were fully operational.
  • A new Palo Alto Networks 850 firewall was installed.
  • 90% of the user workstations were fully operational.

"A huge amount of what happened those first few days is mostly a fog for me, but we will not soon forget the urgency each and every one of you put in to help get our business back. I've been working together with Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A likely business-ending disaster was avoided due to hard-working professionals, a broad range of IT skills, and close collaboration. Although in retrospect the crypto-ransomware virus incident detailed here would have been disabled with up-to-date security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed security procedures for information protection and proper patching controls, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, removal, and data restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thank you for letting me get some sleep after we got over the first week. All of you did an fabulous job, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Baltimore a range of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services include next-generation artificial intelligence capability to detect zero-day strains of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to address the complete malware attack lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information protection standards. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent can also help you to set up and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software companies to produce ProSight Data Protection Services, a family of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup operations and allow transparent backup and rapid restoration of critical files/folders, apps, system images, plus VMs. ProSight DPS lets you protect against data loss resulting from hardware failures, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or application bugs. Managed services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top data security companies to deliver centralized control and world-class security for your email traffic. The powerful structure of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a further layer of analysis for incoming email. For outgoing email, the local security gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller businesses to map out, monitor, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network maps are kept current, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating devices that require critical software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network running at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted automatically to your designated IT personnel and your Progent consultant so all looming problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSLs or domains. By updating and organizing your network documentation, you can eliminate up to half of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior machine learning tools to defend endpoints as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely evade legacy signature-based AV products. Progent Active Security Monitoring services protect local and cloud-based resources and provides a unified platform to manage the complete malware attack progression including blocking, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Desk: Call Center Managed Services
    Progent's Support Desk managed services permit your information technology staff to offload Help Desk services to Progent or divide activity for support services seamlessly between your internal network support resources and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless supplement to your corporate IT support organization. Client interaction with the Help Desk, delivery of support, problem escalation, trouble ticket generation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether incidents are resolved by your core network support resources, by Progent, or by a combination. Find out more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information network. Besides maximizing the security and reliability of your computer network, Progent's patch management services allow your in-house IT staff to focus on more strategic projects and activities that derive the highest business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Google Android, and other personal devices. With Duo 2FA, when you sign into a protected application and enter your password you are asked to verify your identity via a unit that only you have and that is accessed using a separate network channel. A wide selection of out-of-band devices can be utilized for this second means of authentication including a smartphone or watch, a hardware token, a landline phone, etc. You can designate several validation devices. For details about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Baltimore 24/7 CryptoLocker Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.