Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that represents an extinction-level danger for businesses poorly prepared for an assault. Versions of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. Recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with daily unnamed newcomers, not only encrypt on-line files but also infect many accessible system protection. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected system, this can render any restoration hopeless and basically sets the datacenter back to zero.

Getting back on-line applications and data following a ransomware event becomes a sprint against time as the targeted business struggles to stop lateral movement and eradicate the ransomware and to restore mission-critical operations. Since ransomware requires time to replicate, penetrations are often launched on weekends and holidays, when successful attacks are likely to take more time to recognize. This multiplies the difficulty of rapidly mobilizing and coordinating an experienced mitigation team.

Progent has a range of help services for securing businesses from ransomware events. Among these are user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security solutions with machine learning capabilities from SentinelOne to identify and extinguish zero-day cyber threats intelligently. Progent also offers the assistance of seasoned crypto-ransomware recovery engineers with the talent and commitment to re-deploy a breached network as rapidly as possible.

Progent's Ransomware Restoration Support Services
After a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber hackers will return the needed codes to decipher any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to re-install the vital parts of your Information Technology environment. Without the availability of complete system backups, this calls for a broad range of skill sets, professional project management, and the willingness to work 24x7 until the job is completed.

For twenty years, Progent has provided certified expert IT services for businesses in Bellevue and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise provides Progent the skills to rapidly determine necessary systems and organize the remaining components of your Information Technology environment after a ransomware penetration and rebuild them into a functioning network.

Progent's ransomware group uses top notch project management systems to orchestrate the complicated restoration process. Progent knows the importance of acting swiftly and in concert with a customer's management and IT staff to assign priority to tasks and to get critical applications back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Intrusion Recovery
A business sought out Progent after their network system was taken over by Ryuk ransomware virus. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, possibly using strategies leaked from the U.S. NSA organization. Ryuk goes after specific organizations with little ability to sustain operational disruption and is among the most profitable examples of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago and has about 500 employees. The Ryuk attack had paralyzed all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (in excess of $200K) and wishfully thinking for good luck, but ultimately brought in Progent.


"I cannot speak enough in regards to the support Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the cybercriminals except for the confidence the Progent group afforded us. The fact that you were able to get our messaging and essential applications back quicker than seven days was beyond my wildest dreams. Each staff member I interacted with or communicated with at Progent was totally committed on getting our company operational and was working 24/7 to bail us out."

Progent worked together with the client to rapidly determine and prioritize the essential elements that needed to be addressed to make it possible to resume business operations:

  • Microsoft Active Directory
  • E-Mail
  • MRP System
To begin, Progent followed ransomware incident mitigation industry best practices by isolating and cleaning up infected systems. Progent then initiated the work of bringing back online Microsoft Active Directory, the foundation of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without AD, and the client's accounting and MRP system leveraged Microsoft SQL, which needs Windows AD for security authorization to the database.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-intrusion state. Progent then accomplished rebuilding and storage recovery on the most important servers. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to locate intact OST data files (Microsoft Outlook Off-Line Data Files) on team PCs and laptops to recover email messages. A recent offline backup of the customer's accounting/MRP systems made it possible to restore these required programs back available to users. Although significant work remained to recover fully from the Ryuk damage, the most important systems were recovered rapidly:


"For the most part, the production manufacturing operation never missed a beat and we made all customer sales."

Over the following month important milestones in the restoration project were achieved through tight cooperation between Progent consultants and the customer:

  • Internal web sites were brought back up without losing any information.
  • The MailStore Server with over four million historical emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory functions were completely functional.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Ninety percent of the user desktops were operational.

"A huge amount of what transpired in the initial days is nearly entirely a fog for me, but our team will not soon forget the urgency each of the team put in to give us our business back. I've been working together with Progent for the past ten years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This event was a stunning achievement."

Conclusion
A probable business catastrophe was evaded due to top-tier professionals, a wide spectrum of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware virus penetration described here should have been identified and blocked with current cyber security solutions and recognized best practices, team education, and appropriate security procedures for information backup and keeping systems up to date with security patches, the fact remains that government-sponsored cybercriminals from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has proven experience in crypto-ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), I'm grateful for making it so I could get rested after we got past the initial push. Everyone did an fabulous effort, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Bellevue a range of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day variants of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a unified platform to automate the complete threat progression including protection, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that helps you prove compliance with legal and industry information protection regulations. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent's consultants can also help you to install and test a backup and restore system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software providers to produce ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service. ProSight DPS products automate and track your data backup processes and enable transparent backup and fast recovery of important files/folders, apps, images, plus virtual machines. ProSight DPS lets you protect against data loss caused by equipment failures, natural calamities, fire, cyber attacks like ransomware, user error, malicious insiders, or software glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of leading data security companies to deliver centralized control and comprehensive protection for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The cloud filter acts as a preliminary barricade and blocks the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of inspection for incoming email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email that originates and ends within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, track, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, copies and manages the configuration of virtually all devices on your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that need important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management technology to help keep your IT system running at peak levels by tracking the health of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so any potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can save as much as half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior-based analysis technology to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus products. Progent ASM services safeguard local and cloud resources and offers a single platform to manage the entire threat progression including filtering, detection, mitigation, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Help Desk services enable your IT staff to outsource Call Center services to Progent or split activity for support services transparently between your in-house network support team and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a seamless supplement to your in-house IT support organization. User access to the Service Desk, delivery of technical assistance, escalation, trouble ticket creation and tracking, performance measurement, and management of the support database are consistent whether issues are taken care of by your in-house network support organization, by Progent, or by a combination. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of any size a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the security and reliability of your IT environment, Progent's patch management services allow your in-house IT staff to concentrate on line-of-business initiatives and activities that derive maximum business value from your network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Google Android, and other personal devices. With Duo 2FA, when you log into a secured online account and give your password you are requested to confirm your identity via a unit that only you have and that is accessed using a separate network channel. A wide range of devices can be used as this added means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can register several verification devices. For details about Duo identity authentication services, visit Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time and in-depth reporting utilities designed to integrate with the leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Bellevue Ransomware Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.