Crypto-Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses vulnerable to an assault. Different versions of ransomware like the Reveton, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still inflict damage. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as frequent unnamed viruses, not only encrypt on-line files but also infect many accessible system backup. Information synchronized to the cloud can also be held hostage. In a poorly architected data protection solution, this can make any restore operations useless and basically knocks the entire system back to zero.

Retrieving applications and data after a ransomware outage becomes a race against time as the victim struggles to stop lateral movement, eradicate the ransomware, and restore mission-critical activity. Since crypto-ransomware needs time to spread, attacks are usually launched at night, when successful attacks are likely to take more time to detect. This compounds the difficulty of promptly assembling and organizing a knowledgeable mitigation team.

Progent provides a variety of solutions for securing organizations from crypto-ransomware attacks. These include user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security appliances with AI capabilities from SentinelOne to detect and suppress new cyber attacks rapidly. Progent also provides the services of experienced crypto-ransomware recovery engineers with the skills and commitment to re-deploy a compromised environment as urgently as possible.

Progent's Ransomware Restoration Services
Following a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that cyber criminals will provide the codes to decipher all your information. Kaspersky determined that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms are typically a few hundred thousand dollars. For larger organizations, the ransom can be in the millions of dollars. The alternative is to re-install the key elements of your Information Technology environment. Absent access to full system backups, this requires a wide complement of skills, professional project management, and the ability to work non-stop until the task is finished.

For two decades, Progent has provided certified expert IT services for businesses throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise gives Progent the capability to knowledgably understand important systems and integrate the remaining parts of your network system following a ransomware penetration and rebuild them into a functioning system.

Progent's recovery team of experts utilizes best of breed project management systems to coordinate the complicated recovery process. Progent understands the urgency of acting quickly and together with a client's management and Information Technology team members to prioritize tasks and to get key services back on line as soon as possible.

Customer Story: A Successful Crypto-Ransomware Virus Recovery
A client contacted Progent after their company was taken over by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by North Korean state criminal gangs, possibly using technology exposed from the United States National Security Agency. Ryuk attacks specific businesses with little or no room for disruption and is among the most lucrative iterations of ransomware malware. Major organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturer based in Chicago and has around 500 employees. The Ryuk event had frozen all company operations and manufacturing processes. The majority of the client's data protection had been on-line at the beginning of the intrusion and were destroyed. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but in the end engaged Progent.


"I cannot thank you enough in regards to the help Progent provided us during the most critical period of (our) company's life. We had little choice but to pay the cybercriminals if it wasn't for the confidence the Progent experts provided us. The fact that you could get our e-mail system and production servers back into operation quicker than seven days was beyond my wildest dreams. Each expert I got help from or communicated with at Progent was urgently focused on getting my company operational and was working all day and night on our behalf."

Progent worked hand in hand the client to rapidly get our arms around and prioritize the critical applications that had to be recovered in order to resume business functions:

  • Active Directory (AD)
  • Electronic Messaging
  • Financials/MRP
To start, Progent followed ransomware penetration response best practices by isolating and cleaning systems of viruses. Progent then began the steps of recovering Windows Active Directory, the core of enterprise environments built upon Microsoft technology. Exchange messaging will not function without Active Directory, and the businesses' accounting and MRP applications leveraged Microsoft SQL, which requires Active Directory for security authorization to the data.

Within 2 days, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery of the most important servers. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover mail information. A recent offline backup of the customer's financials/MRP software made them able to restore these required programs back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, the most important systems were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we did not miss any customer sales."

During the following couple of weeks key milestones in the recovery project were achieved in tight cooperation between Progent team members and the customer:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Server exceeding four million archived emails was brought on-line and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100 percent operational.
  • A new Palo Alto 850 firewall was installed.
  • 90% of the user PCs were being used by staff.

"A lot of what occurred in the early hours is nearly entirely a haze for me, but my management will not soon forget the commitment each of the team accomplished to help get our company back. I have entrusted Progent for the past ten years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A potential company-ending disaster was evaded through the efforts of top-tier professionals, a broad spectrum of knowledge, and tight collaboration. Although in analyzing the event afterwards the ransomware virus incident detailed here would have been shut down with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and properly executed security procedures for data protection and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of professionals has proven experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others who were helping), I'm grateful for letting me get rested after we got past the initial push. All of you did an incredible effort, and if any of your team is around the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Boise a variety of online monitoring and security assessment services to assist you to reduce the threat from ransomware. These services utilize modern machine learning technology to detect zero-day strains of ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud resources and offers a single platform to manage the complete threat progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within one agent managed from a unified control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP environment that meets your organization's unique needs and that helps you demonstrate compliance with government and industry information protection regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also assist your company to install and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services, a portfolio of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup processes and enable non-disruptive backup and fast recovery of critical files/folders, apps, images, plus virtual machines. ProSight DPS helps your business avoid data loss caused by equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of top information security vendors to provide web-based control and comprehensive security for your inbound and outbound email. The powerful structure of Progent's Email Guard managed service combines cloud-based filtering with an on-premises gateway appliance to provide complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter serves as a first line of defense and blocks the vast majority of threats from reaching your security perimeter. This reduces your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the onsite gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, monitor, enhance and troubleshoot their connectivity hardware like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always updated, captures and manages the configuration of virtually all devices on your network, tracks performance, and sends notices when problems are detected. By automating time-consuming management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that require important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your network operating efficiently by tracking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management personnel and your Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT infrastructure documentation, you can save up to half of time wasted trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to defend endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. Progent ASM services safeguard on-premises and cloud-based resources and offers a unified platform to automate the complete threat progression including blocking, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Support Desk managed services enable your information technology team to offload Help Desk services to Progent or split activity for Service Desk support seamlessly between your internal network support resources and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a smooth supplement to your corporate IT support group. End user interaction with the Service Desk, delivery of technical assistance, problem escalation, ticket generation and tracking, performance metrics, and maintenance of the service database are cohesive whether issues are resolved by your core support organization, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of any size a flexible and affordable alternative for assessing, validating, scheduling, applying, and tracking updates to your ever-evolving IT network. Besides maximizing the protection and functionality of your IT network, Progent's patch management services allow your IT staff to focus on more strategic projects and activities that deliver the highest business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a secured online account and give your password you are asked to confirm who you are on a device that only you have and that uses a different ("out-of-band") network channel. A wide selection of devices can be utilized as this second means of authentication such as a smartphone or watch, a hardware token, a landline phone, etc. You may register several validation devices. To find out more about Duo identity authentication services, go to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth reporting tools designed to work with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or machines with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For Boise 24x7x365 Crypto-Ransomware Remediation Services, call Progent at 800-462-8800 or go to Contact Progent.