Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that presents an existential danger for businesses poorly prepared for an attack. Different versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for a long time and still cause destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as additional as yet unnamed viruses, not only do encryption of on-line files but also infiltrate all available system backup. Data synched to cloud environments can also be ransomed. In a vulnerable environment, it can make automatic recovery hopeless and basically sets the entire system back to square one.

Getting back online services and data following a crypto-ransomware attack becomes a sprint against time as the victim fights to contain the damage and cleanup the crypto-ransomware and to restore business-critical activity. Due to the fact that ransomware requires time to move laterally, assaults are often sprung at night, when penetrations typically take longer to recognize. This compounds the difficulty of quickly assembling and organizing a qualified mitigation team.

Progent has an assortment of help services for securing businesses from crypto-ransomware penetrations. These include user training to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with machine learning capabilities from SentinelOne to discover and disable zero-day cyber threats quickly. Progent in addition can provide the services of seasoned ransomware recovery consultants with the track record and commitment to restore a breached environment as quickly as possible.

Progent's Ransomware Restoration Services
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will return the codes to decrypt any or all of your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average crypto-ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the critical components of your IT environment. Without access to full data backups, this requires a wide complement of skill sets, top notch project management, and the ability to work 24x7 until the task is over.

For two decades, Progent has made available expert IT services for businesses in Bellevue and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with accounting and ERP applications. This breadth of experience affords Progent the ability to quickly determine necessary systems and integrate the remaining parts of your computer network system after a ransomware penetration and configure them into an operational network.

Progent's recovery team utilizes powerful project management applications to coordinate the sophisticated recovery process. Progent understands the urgency of acting quickly and together with a client's management and Information Technology resources to prioritize tasks and to put the most important systems back on line as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Attack Recovery
A small business engaged Progent after their network system was taken over by Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, suspected of using strategies exposed from America�s National Security Agency. Ryuk attacks specific businesses with little or no room for operational disruption and is among the most lucrative instances of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago with around 500 employees. The Ryuk attack had disabled all essential operations and manufacturing capabilities. Most of the client's backups had been on-line at the time of the attack and were eventually encrypted. The client considered paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end reached out to Progent.


"I can�t speak enough about the help Progent gave us throughout the most critical time of (our) company�s existence. We had little choice but to pay the cybercriminals if it wasn�t for the confidence the Progent group afforded us. The fact that you could get our e-mail system and critical servers back into operation faster than 1 week was amazing. Every single staff member I worked with or communicated with at Progent was absolutely committed on getting my company operational and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the mission critical systems that had to be addressed to make it possible to resume company operations:

  • Windows Active Directory
  • Email
  • MRP System
To begin, Progent followed ransomware event response industry best practices by stopping lateral movement and disinfecting systems. Progent then began the process of bringing back online Microsoft AD, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's accounting and MRP system used Microsoft SQL Server, which requires Windows AD for authentication to the information.

In less than 48 hours, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then accomplished rebuilding and storage recovery of needed applications. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate local OST data files (Microsoft Outlook Offline Folder Files) on user workstations and laptops to recover mail messages. A recent off-line backup of the client's financials/MRP software made it possible to restore these vital services back online. Although a lot of work still had to be done to recover completely from the Ryuk event, the most important systems were recovered quickly:


"For the most part, the production line operation never missed a beat and we produced all customer deliverables."

Throughout the following month critical milestones in the recovery project were made in close collaboration between Progent team members and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory modules were fully functional.
  • A new Palo Alto Networks 850 security appliance was set up.
  • Nearly all of the desktops and laptops were being used by staff.

"A lot of what happened that first week is nearly entirely a fog for me, but my management will not soon forget the dedication all of you accomplished to give us our company back. I�ve been working with Progent for at least 10 years, possibly more, and each time I needed help Progent has shined and delivered. This situation was a testament to your capabilities."

Conclusion
A likely business-killing catastrophe was avoided with hard-working professionals, a wide spectrum of technical expertise, and tight teamwork. Although in analyzing the event afterwards the ransomware virus incident detailed here would have been disabled with current security technology solutions and NIST Cybersecurity Framework best practices, user education, and properly executed security procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's roster of experts has substantial experience in crypto-ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were contributing), thank you for allowing me to get some sleep after we made it past the first week. All of you did an fabulous job, and if anyone that helped is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Bellevue a range of online monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include modern AI technology to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to automate the entire malware attack progression including protection, detection, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with legal and industry data security regulations. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent can also assist your company to set up and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup technology providers to create ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service. ProSight DPS products automate and track your data backup processes and allow transparent backup and fast restoration of vital files/folders, apps, system images, plus VMs. ProSight DPS helps your business avoid data loss caused by equipment failures, natural calamities, fire, malware like ransomware, user error, malicious insiders, or software glitches. Managed services available in the ProSight DPS product line include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to deliver web-based management and world-class security for your email traffic. The powerful structure of Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your network firewall. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage. Email Guard's on-premises gateway appliance provides a further layer of inspection for incoming email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, track, optimize and troubleshoot their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and sends notices when problems are detected. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by tracking the state of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alert is transmitted immediately to your designated IT management personnel and your assigned Progent engineering consultant so that any looming issues can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can instantly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By updating and organizing your IT documentation, you can eliminate up to half of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youre making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis technology to defend endpoints as well as servers and VMs against new malware assaults like ransomware and email phishing, which routinely get by traditional signature-based AV products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to automate the entire threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Support Desk services permit your information technology staff to offload Support Desk services to Progent or divide activity for support services seamlessly between your in-house support team and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a smooth extension of your internal network support team. Client interaction with the Service Desk, provision of technical assistance, issue escalation, ticket generation and updates, efficiency measurement, and maintenance of the service database are consistent whether issues are taken care of by your internal network support resources, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide businesses of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. Besides optimizing the security and functionality of your computer environment, Progent's software/firmware update management services permit your in-house IT team to concentrate on more strategic projects and activities that deliver maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with Apple iOS, Google Android, and other personal devices. Using 2FA, when you sign into a protected online account and give your password you are requested to verify your identity on a device that only you have and that is accessed using a separate network channel. A broad range of out-of-band devices can be utilized for this added means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You can designate several validation devices. To find out more about ProSight Duo identity authentication services, see Duo MFA two-factor authentication services for access security.
For Bellevue 24-Hour Crypto-Ransomware Recovery Help, contact Progent at 800-462-8800 or go to Contact Progent.