Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ConsultantsRansomware has become an escalating cyberplague that presents an enterprise-level danger for organizations poorly prepared for an assault. Versions of ransomware like the Dharma, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, along with frequent unnamed viruses, not only do encryption of online files but also infiltrate many available system backups. Information synched to the cloud can also be ransomed. In a vulnerable environment, this can make automated recovery hopeless and basically sets the entire system back to zero.

Getting back services and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted organization tries its best to stop lateral movement, remove the virus, and resume business-critical activity. Since crypto-ransomware needs time to replicate, assaults are often launched during nights and weekends, when attacks tend to take more time to notice. This multiplies the difficulty of rapidly marshalling and organizing an experienced response team.

Progent makes available a variety of solutions for securing enterprises from crypto-ransomware attacks. These include user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of next-generation security gateways with machine learning capabilities from SentinelOne to detect and extinguish zero-day cyber threats rapidly. Progent also provides the assistance of expert crypto-ransomware recovery engineers with the track record and perseverance to reconstruct a breached system as urgently as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware penetration, paying the ransom in cryptocurrency does not guarantee that distant criminals will provide the needed codes to decrypt all your information. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can reach millions. The fallback is to re-install the mission-critical elements of your IT environment. Absent the availability of essential data backups, this calls for a broad complement of IT skills, top notch project management, and the willingness to work non-stop until the task is over.

For twenty years, Progent has made available certified expert Information Technology services for businesses throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned advanced certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have earned internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise gives Progent the capability to rapidly identify critical systems and organize the surviving pieces of your Information Technology system after a ransomware penetration and configure them into a functioning network.

Progent's security team of experts uses powerful project management tools to orchestrate the complex recovery process. Progent knows the urgency of working quickly and in unison with a customer's management and Information Technology staff to prioritize tasks and to put key services back online as fast as humanly possible.

Case Study: A Successful Crypto-Ransomware Incident Response
A customer hired Progent after their network system was brought down by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean state criminal gangs, possibly adopting algorithms exposed from America's NSA organization. Ryuk targets specific organizations with limited room for operational disruption and is one of the most profitable versions of ransomware. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in the Chicago metro area with around 500 staff members. The Ryuk penetration had disabled all company operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the start of the intrusion and were destroyed. The client considered paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but in the end made the decision to use Progent.


"I can't thank you enough about the expertise Progent gave us during the most stressful time of (our) company's survival. We most likely would have paid the cyber criminals behind the attack if not for the confidence the Progent group afforded us. That you were able to get our e-mail system and important servers back online faster than seven days was incredible. Each consultant I interacted with or texted at Progent was laser focused on getting my company operational and was working at all hours on our behalf."

Progent worked together with the customer to rapidly assess and prioritize the key areas that had to be recovered to make it possible to resume departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent followed Anti-virus penetration mitigation industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the process of recovering Windows Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without AD, and the client's accounting and MRP applications leveraged SQL Server, which depends on Active Directory for authentication to the databases.

Within 2 days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then performed setup and hard drive recovery of mission critical servers. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Data Files) on staff desktop computers to recover email information. A recent offline backup of the businesses accounting/ERP systems made them able to restore these vital applications back on-line. Although a lot of work remained to recover totally from the Ryuk virus, core systems were restored quickly:


"For the most part, the production operation never missed a beat and we did not miss any customer shipments."

During the next few weeks key milestones in the restoration process were completed through tight cooperation between Progent consultants and the customer:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Server containing more than 4 million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were fully recovered.
  • A new Palo Alto 850 security appliance was brought on-line.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"Much of what went on those first few days is mostly a blur for me, but I will not soon forget the urgency all of the team put in to help get our business back. I've utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has come through and delivered. This situation was a life saver."

Conclusion
A potential business extinction catastrophe was dodged through the efforts of results-oriented professionals, a broad array of IT skills, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus incident detailed here could have been stopped with up-to-date cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get some sleep after we got over the first week. Everyone did an fabulous job, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Birmingham a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services incorporate modern artificial intelligence capability to detect zero-day strains of ransomware that can evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to address the entire malware attack progression including blocking, identification, containment, remediation, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge tools incorporated within one agent accessible from a single control. Progent's data protection and virtualization experts can help you to design and implement a ProSight ESP environment that meets your company's specific needs and that allows you prove compliance with legal and industry data security standards. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that call for immediate attention. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup software providers to create ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow transparent backup and fast recovery of critical files/folders, apps, images, plus VMs. ProSight DPS lets you avoid data loss resulting from equipment breakdown, natural calamities, fire, malware such as ransomware, human mistakes, malicious insiders, or software glitches. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security vendors to deliver centralized control and world-class protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This decreases your exposure to external attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper level of inspection for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, track, optimize and debug their networking hardware such as routers and switches, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, expanding your network, locating devices that need important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating efficiently by tracking the health of critical computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management staff and your assigned Progent engineering consultant so any looming problems can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Since the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to guard endpoint devices as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. Progent ASM services protect local and cloud-based resources and provides a single platform to manage the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and forensics. Top features include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Desk: Support Desk Managed Services
    Progent's Call Desk managed services enable your information technology staff to offload Support Desk services to Progent or split activity for support services transparently between your in-house support resources and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a smooth supplement to your internal support resources. End user access to the Service Desk, delivery of support services, problem escalation, trouble ticket generation and tracking, performance metrics, and management of the support database are consistent whether incidents are taken care of by your corporate network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a flexible and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your dynamic information system. Besides maximizing the protection and functionality of your computer environment, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and activities that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a protected application and give your password you are asked to verify your identity via a unit that only you have and that is accessed using a different network channel. A broad selection of out-of-band devices can be used as this added means of ID validation including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. For details about ProSight Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of in-depth reporting utilities created to integrate with the leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize key issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Birmingham 24/7/365 CryptoLocker Recovery Experts, contact Progent at 800-462-8800 or go to Contact Progent.