Ransomware : Your Crippling Information Technology Disaster
Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an enterprise-level danger for organizations poorly prepared for an attack. Versions of ransomware like the CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to inflict havoc. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as frequent as yet unnamed malware, not only encrypt on-line data files but also infect any configured system protection mechanisms. Files synchronized to cloud environments can also be ransomed. In a poorly designed environment, it can render automatic restoration useless and basically knocks the datacenter back to square one.

Recovering programs and information following a ransomware outage becomes a sprint against time as the targeted business struggles to contain the damage and remove the ransomware and to restore business-critical operations. Since ransomware requires time to spread, penetrations are frequently sprung at night, when successful penetrations typically take more time to recognize. This multiplies the difficulty of rapidly marshalling and organizing a qualified response team.

Progent makes available an assortment of services for protecting organizations from crypto-ransomware penetrations. These include staff training to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of next-generation security gateways with AI capabilities from SentinelOne to discover and quarantine zero-day threats intelligently. Progent in addition can provide the assistance of seasoned crypto-ransomware recovery professionals with the track record and commitment to reconstruct a breached environment as rapidly as possible.

Progent's Ransomware Restoration Services
After a ransomware event, paying the ransom in cryptocurrency does not guarantee that distant criminals will respond with the codes to decipher any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the mission-critical parts of your Information Technology environment. Absent the availability of essential system backups, this calls for a wide range of skill sets, professional team management, and the ability to work non-stop until the task is complete.

For twenty years, Progent has offered professional Information Technology services for companies in Bellevue and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise provides Progent the capability to rapidly identify necessary systems and integrate the surviving parts of your Information Technology system following a ransomware attack and configure them into an operational network.

Progent's ransomware group has powerful project management systems to orchestrate the complicated restoration process. Progent understands the urgency of acting rapidly and in unison with a customer's management and Information Technology team members to assign priority to tasks and to put the most important systems back on line as soon as possible.

Client Case Study: A Successful Ransomware Virus Response
A small business contacted Progent after their network was penetrated by the Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, suspected of using strategies leaked from the U.S. National Security Agency. Ryuk targets specific companies with little or no ability to sustain disruption and is among the most lucrative iterations of ransomware. Headline victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago and has about 500 workers. The Ryuk event had disabled all essential operations and manufacturing processes. The majority of the client's system backups had been on-line at the beginning of the attack and were eventually encrypted. The client considered paying the ransom demand (more than two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.


"I cannot tell you enough about the expertise Progent provided us throughout the most critical time of (our) businesses survival. We may have had to pay the cyber criminals if it wasn't for the confidence the Progent group afforded us. The fact that you were able to get our e-mail and critical servers back into operation quicker than five days was earth shattering. Every single person I interacted with or texted at Progent was totally committed on getting us back on-line and was working 24 by 7 on our behalf."

Progent worked hand in hand the client to rapidly understand and prioritize the essential areas that had to be recovered in order to restart departmental functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by isolating and cleaning systems of viruses. Progent then began the work of bringing back online Microsoft AD, the heart of enterprise systems built upon Microsoft Windows Server technology. Microsoft Exchange email will not function without AD, and the businesses' financials and MRP system used Microsoft SQL, which needs Active Directory services for security authorization to the information.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then performed rebuilding and storage recovery of the most important applications. All Exchange Server ties and configuration information were intact, which accelerated the restore of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Folder Files) on user workstations to recover mail information. A recent off-line backup of the businesses accounting/ERP software made them able to restore these required applications back on-line. Although significant work remained to recover fully from the Ryuk event, core services were returned to operations rapidly:


"For the most part, the production operation never missed a beat and we produced all customer deliverables."

During the next few weeks important milestones in the recovery project were completed in close collaboration between Progent team members and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Server exceeding 4 million archived emails was spun up and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory functions were fully recovered.
  • A new Palo Alto Networks 850 security appliance was brought online.
  • Most of the user desktops were fully operational.

"Much of what went on in the initial days is nearly entirely a fog for me, but my management will not forget the countless hours all of the team accomplished to help get our company back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered. This event was a testament to your capabilities."

Conclusion
A probable business disaster was averted by top-tier experts, a wide array of knowledge, and close collaboration. Although in retrospect the ransomware virus incident detailed here could have been stopped with current cyber security technology and best practices, user training, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the fact is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has substantial experience in ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get rested after we made it over the most critical parts. Everyone did an impressive effort, and if any of your guys is around the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Bellevue a portfolio of remote monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence technology to uncover zero-day variants of ransomware that can evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. ProSight ASM safeguards on-premises and cloud-based resources and offers a single platform to address the complete threat lifecycle including protection, identification, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth protection for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides firewall protection, penetration alerts, device control, and web filtering through leading-edge tools packaged within one agent managed from a unified console. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you prove compliance with government and industry information security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also assist your company to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS products manage and track your data backup processes and enable non-disruptive backup and fast restoration of important files, applications, images, plus virtual machines. ProSight DPS lets you recover from data loss caused by equipment failures, natural disasters, fire, malware like ransomware, user error, ill-intentioned employees, or application glitches. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to deliver web-based control and comprehensive security for all your email traffic. The hybrid structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks most threats from making it to your security perimeter. This reduces your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for inbound email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map, monitor, reconfigure and troubleshoot their networking appliances such as switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch ensures that network maps are always current, captures and displays the configuration of almost all devices on your network, monitors performance, and generates alerts when problems are detected. By automating complex management and troubleshooting processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating appliances that need critical software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your designated IT personnel and your Progent consultant so all looming issues can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported easily to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior analysis technology to guard endpoint devices as well as physical and virtual servers against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud-based resources and offers a single platform to manage the entire threat lifecycle including protection, detection, containment, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Help Desk Managed Services
    Progent's Support Desk managed services allow your information technology group to offload Help Desk services to Progent or divide activity for Service Desk support transparently between your internal support staff and Progent's nationwide pool of certified IT support engineers and subject matter experts. Progent's Shared Service Desk offers a seamless supplement to your internal network support team. Client interaction with the Help Desk, delivery of support, issue escalation, ticket creation and updates, efficiency measurement, and management of the service database are cohesive regardless of whether issues are resolved by your internal network support organization, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting updates to your dynamic IT system. Besides optimizing the security and reliability of your computer network, Progent's patch management services permit your in-house IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are requested to verify your identity on a unit that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be used for this added means of ID validation such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You may designate several validation devices. For more information about Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication services for access security.
For 24x7x365 Bellevue Ransomware Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.