Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ExpertsRansomware has become an escalating cyberplague that presents an extinction-level threat for organizations poorly prepared for an attack. Versions of ransomware like the Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and continue to inflict destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus additional as yet unnamed viruses, not only do encryption of on-line information but also infiltrate any configured system backups. Information synchronized to off-site disaster recovery sites can also be encrypted. In a vulnerable system, this can make automated recovery impossible and basically knocks the entire system back to square one.

Getting back online programs and information after a ransomware outage becomes a sprint against the clock as the victim struggles to stop lateral movement, eradicate the virus, and resume business-critical operations. Since ransomware takes time to spread, assaults are usually sprung during nights and weekends, when penetrations in many cases take longer to recognize. This multiplies the difficulty of rapidly mobilizing and organizing an experienced response team.

Progent provides a variety of solutions for protecting businesses from ransomware penetrations. Among these are staff education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security gateways with artificial intelligence capabilities from SentinelOne to discover and disable zero-day cyber attacks automatically. Progent in addition can provide the assistance of experienced ransomware recovery consultants with the talent and perseverance to rebuild a breached environment as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, paying the ransom in cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decipher any of your information. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom demand can reach millions of dollars. The other path is to setup from scratch the key elements of your IT environment. Absent the availability of complete data backups, this calls for a wide range of skills, professional team management, and the capability to work continuously until the task is complete.

For twenty years, Progent has made available professional Information Technology services for businesses throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has expertise in accounting and ERP applications. This breadth of experience affords Progent the skills to knowledgably understand important systems and consolidate the remaining parts of your computer network system following a crypto-ransomware event and rebuild them into a functioning system.

Progent's ransomware team of experts utilizes state-of-the-art project management tools to coordinate the complicated restoration process. Progent knows the importance of acting rapidly and in unison with a client's management and IT resources to prioritize tasks and to get critical services back on line as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Recovery
A small business engaged Progent after their network was taken over by the Ryuk crypto-ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, suspected of using strategies leaked from the U.S. NSA organization. Ryuk targets specific businesses with little tolerance for disruption and is among the most lucrative examples of crypto-ransomware. Headline victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area with around 500 employees. The Ryuk event had paralyzed all business operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200,000) and hoping for the best, but in the end reached out to Progent.


"I can't speak enough about the expertise Progent gave us during the most fearful time of (our) company's existence. We most likely would have paid the Hackers except for the confidence the Progent group gave us. That you were able to get our messaging and critical applications back quicker than a week was beyond my wildest dreams. Each expert I got help from or e-mailed at Progent was absolutely committed on getting our company operational and was working 24/7 to bail us out."

Progent worked with the client to rapidly understand and prioritize the key areas that needed to be addressed in order to continue company operations:

  • Active Directory
  • Electronic Messaging
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes event response industry best practices by isolating and clearing infected systems. Progent then initiated the process of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft technology. Exchange messaging will not operate without AD, and the client's MRP applications utilized Microsoft SQL Server, which needs Active Directory for authentication to the databases.

Within two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and hard drive recovery of key applications. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST files (Outlook Off-Line Data Files) on staff PCs and laptops to recover mail information. A not too old offline backup of the client's accounting/MRP systems made them able to return these vital services back on-line. Although significant work still had to be done to recover fully from the Ryuk damage, core services were returned to operations rapidly:


"For the most part, the manufacturing operation did not miss a beat and we delivered all customer sales."

Over the following month critical milestones in the restoration process were made in close cooperation between Progent engineers and the customer:

  • In-house web sites were restored with no loss of information.
  • The MailStore Server exceeding four million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Nearly all of the desktops and laptops were back into operation.

"Much of what occurred in the initial days is mostly a blur for me, but our team will not forget the countless hours each and every one of you put in to help get our business back. I've been working together with Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A probable business disaster was avoided due to dedicated experts, a wide array of IT skills, and close collaboration. Although upon completion of forensics the ransomware attack detailed here could have been prevented with modern cyber security technology solutions and recognized best practices, user training, and well designed incident response procedures for data protection and applying software patches, the fact remains that state-sponsored hackers from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of experts has proven experience in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thanks very much for making it so I could get some sleep after we got past the most critical parts. All of you did an incredible effort, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Baltimore a portfolio of remote monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services incorporate next-generation artificial intelligence capability to detect new strains of crypto-ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. ProSight ASM protects local and cloud resources and offers a unified platform to manage the entire malware attack progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, device management, and web filtering through leading-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that call for immediate action. Progent's consultants can also assist your company to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and monitor your data backup operations and allow non-disruptive backup and rapid recovery of vital files, apps, system images, plus virtual machines. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural disasters, fire, cyber attacks like ransomware, user error, malicious insiders, or application glitches. Managed services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading data security companies to deliver centralized control and comprehensive security for your email traffic. The powerful structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter acts as a first line of defense and keeps most threats from making it to your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further layer of analysis for inbound email. For outbound email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, track, enhance and debug their connectivity hardware such as switches, firewalls, and access points as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and displays the configuration of almost all devices on your network, monitors performance, and generates notices when issues are detected. By automating time-consuming management and troubleshooting processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, finding appliances that require important updates, or identifying the cause of performance bottlenecks. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your network running at peak levels by checking the state of critical assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your designated IT staff and your assigned Progent engineering consultant so that all potential problems can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time wasted looking for vital information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT information. Whether you're making improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior machine learning technology to defend endpoints as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a single platform to manage the entire malware attack lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Support Center services allow your information technology group to offload Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house support staff and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Shared Service Desk provides a smooth extension of your internal support organization. End user access to the Service Desk, provision of support, problem escalation, ticket generation and updates, performance metrics, and management of the service database are consistent whether incidents are taken care of by your corporate network support organization, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Service Center services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT network. In addition to maximizing the protection and functionality of your IT network, Progent's software/firmware update management services free up time for your in-house IT team to focus on more strategic initiatives and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. Using 2FA, whenever you log into a secured online account and enter your password you are asked to verify your identity via a device that only you possess and that uses a different ("out-of-band") network channel. A wide selection of devices can be used for this second means of ID validation including a smartphone or watch, a hardware token, a landline telephone, etc. You may register multiple validation devices. To learn more about Duo identity validation services, go to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of in-depth management reporting utilities created to integrate with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-through or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances productivity, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Baltimore Ransomware Cleanup Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.