Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an enterprise-level danger for businesses unprepared for an assault. Different iterations of ransomware like the Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and still inflict damage. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with daily as yet unnamed viruses, not only encrypt online data but also infiltrate any accessible system protection. Files synched to the cloud can also be encrypted. In a vulnerable data protection solution, this can make any recovery impossible and basically sets the network back to zero.

Recovering programs and data after a crypto-ransomware intrusion becomes a race against the clock as the victim tries its best to contain the damage, remove the ransomware, and resume enterprise-critical operations. Since ransomware takes time to replicate, assaults are frequently sprung during weekends and nights, when penetrations typically take more time to discover. This compounds the difficulty of rapidly assembling and orchestrating an experienced response team.

Progent makes available an assortment of support services for securing enterprises from crypto-ransomware events. Among these are staff training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with artificial intelligence technology from SentinelOne to detect and suppress zero-day threats intelligently. Progent also provides the services of expert ransomware recovery professionals with the skills and commitment to reconstruct a compromised environment as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware event, even paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the codes to decrypt any of your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The other path is to piece back together the essential elements of your Information Technology environment. Without the availability of full data backups, this requires a broad range of IT skills, well-coordinated project management, and the capability to work continuously until the recovery project is finished.

For decades, Progent has provided professional IT services for businesses across the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience provides Progent the capability to knowledgably understand important systems and re-organize the remaining parts of your IT environment after a crypto-ransomware attack and rebuild them into an operational network.

Progent's security team uses best of breed project management tools to coordinate the complicated recovery process. Progent understands the importance of acting rapidly and in unison with a client's management and Information Technology staff to prioritize tasks and to put key services back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Virus Recovery
A client sought out Progent after their network was taken over by Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state sponsored cybercriminals, suspected of adopting algorithms exposed from the United States NSA organization. Ryuk seeks specific organizations with little or no tolerance for disruption and is one of the most lucrative instances of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area with around 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for the best, but in the end called Progent.


"I can't say enough in regards to the support Progent provided us during the most stressful period of (our) businesses survival. We would have paid the criminal gangs if it wasn't for the confidence the Progent group afforded us. That you could get our e-mail and essential applications back into operation faster than one week was something I thought impossible. Every single staff member I spoke to or messaged at Progent was hell bent on getting our system up and was working non-stop on our behalf."

Progent worked with the client to rapidly get our arms around and prioritize the key elements that needed to be restored in order to resume business operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus incident mitigation industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the work of restoring Microsoft AD, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' MRP system used Microsoft SQL Server, which needs Windows AD for security authorization to the information.

Within 48 hours, Progent was able to recover Active Directory to its pre-intrusion state. Progent then completed reinstallations and hard drive recovery on mission critical applications. All Microsoft Exchange Server ties and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Offline Data Files) on staff desktop computers to recover mail messages. A not too old off-line backup of the businesses accounting/MRP systems made it possible to recover these essential services back servicing users. Although a lot of work was left to recover completely from the Ryuk damage, the most important services were recovered quickly:


"For the most part, the manufacturing operation never missed a beat and we delivered all customer orders."

Over the following few weeks important milestones in the restoration project were achieved through close cooperation between Progent consultants and the client:

  • In-house web applications were restored with no loss of data.
  • The MailStore Server containing more than four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Nearly all of the user desktops were fully operational.

"A huge amount of what transpired during the initial response is mostly a blur for me, but we will not forget the care each and every one of you put in to help get our business back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has impressed me and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A possible company-ending catastrophe was avoided with dedicated experts, a wide array of subject matter expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus penetration detailed here would have been identified and disabled with modern security systems and ISO/IEC 27001 best practices, staff education, and properly executed incident response procedures for data protection and keeping systems up to date with security patches, the reality is that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and will continue. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus defense, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were helping), I'm grateful for letting me get rested after we made it over the initial fire. Everyone did an impressive job, and if any of your team is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Baltimore a variety of online monitoring and security evaluation services designed to help you to reduce your vulnerability to ransomware. These services utilize modern AI technology to detect zero-day variants of crypto-ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to manage the complete malware attack progression including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also assist your company to install and test a backup and restore system like ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a selection of offerings that provide backup-as-a-service. ProSight DPS products manage and monitor your data backup operations and allow transparent backup and fast restoration of critical files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss resulting from hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top data security companies to provide centralized management and comprehensive protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway device provides a deeper level of analysis for incoming email. For outgoing email, the local gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, monitor, optimize and troubleshoot their connectivity appliances such as routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network diagrams are kept updated, captures and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when problems are discovered. By automating complex management processes, WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, locating appliances that require critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running efficiently by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your designated IT management staff and your assigned Progent consultant so that any potential problems can be resolved before they can impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save up to half of time spent searching for critical information about your IT network. ProSight IT Asset Management includes a common repository for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis technology to guard endpoints as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-based AV products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to address the entire threat progression including filtering, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Support Desk Managed Services
    Progent's Call Center services permit your information technology team to outsource Support Desk services to Progent or split activity for Service Desk support seamlessly between your internal support group and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Service Desk provides a smooth extension of your in-house support staff. End user interaction with the Service Desk, delivery of support, problem escalation, ticket generation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether issues are resolved by your internal IT support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a versatile and cost-effective solution for assessing, validating, scheduling, applying, and documenting software and firmware updates to your dynamic information system. Besides maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services allow your IT team to focus on line-of-business projects and tasks that derive the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured application and give your password you are requested to verify your identity via a device that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be used for this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. For more information about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time management reporting plug-ins created to work with the industry's top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Baltimore 24-7 Crypto-Ransomware Cleanup Help, call Progent at 800-462-8800 or go to Contact Progent.