Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that poses an extinction-level threat for businesses of all sizes vulnerable to an attack. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and still cause damage. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as additional unnamed newcomers, not only encrypt on-line critical data but also infiltrate most configured system protection. Files synched to cloud environments can also be encrypted. In a vulnerable data protection solution, this can make any restoration hopeless and effectively sets the network back to zero.

Recovering applications and information after a ransomware attack becomes a sprint against the clock as the victim tries its best to stop the spread and remove the ransomware and to restore enterprise-critical activity. Since ransomware needs time to move laterally, assaults are usually sprung during weekends and nights, when successful attacks typically take longer to notice. This compounds the difficulty of quickly marshalling and orchestrating a capable response team.

Progent offers a range of support services for protecting enterprises from crypto-ransomware attacks. Among these are team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security gateways with AI capabilities from SentinelOne to identify and extinguish zero-day cyber threats automatically. Progent also can provide the services of experienced ransomware recovery engineers with the talent and perseverance to reconstruct a breached environment as soon as possible.

Progent's Crypto-Ransomware Restoration Support Services
Soon after a crypto-ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed keys to unencrypt all your data. Kaspersky ascertained that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the essential parts of your IT environment. Absent access to full system backups, this calls for a broad range of skills, top notch team management, and the capability to work 24x7 until the recovery project is completed.

For decades, Progent has offered professional Information Technology services for companies in Boise and across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity experts have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience affords Progent the skills to efficiently understand necessary systems and organize the remaining pieces of your Information Technology system after a crypto-ransomware penetration and rebuild them into an operational network.

Progent's recovery group has state-of-the-art project management applications to coordinate the complicated restoration process. Progent appreciates the importance of acting rapidly and in unison with a client's management and Information Technology resources to assign priority to tasks and to get essential systems back online as soon as possible.

Customer Story: A Successful Ransomware Virus Recovery
A small business engaged Progent after their network was penetrated by Ryuk ransomware. Ryuk is believed to have been developed by North Korean state sponsored hackers, possibly adopting approaches leaked from the United States National Security Agency. Ryuk targets specific businesses with little or no tolerance for operational disruption and is among the most lucrative versions of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business headquartered in Chicago with around 500 staff members. The Ryuk attack had brought down all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the attack and were damaged. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.


"I cannot thank you enough about the expertise Progent provided us during the most critical time of (our) company's existence. We had little choice but to pay the cyber criminals if not for the confidence the Progent team provided us. The fact that you could get our e-mail and essential servers back into operation faster than five days was amazing. Each expert I spoke to or texted at Progent was absolutely committed on getting my company operational and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to quickly identify and assign priority to the key elements that had to be recovered in order to resume business functions:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To get going, Progent followed Anti-virus incident response industry best practices by isolating and cleaning up infected systems. Progent then started the steps of recovering Microsoft AD, the foundation of enterprise systems built on Microsoft Windows technology. Exchange messaging will not function without Active Directory, and the businesses' MRP applications utilized Microsoft SQL, which depends on Active Directory for security authorization to the data.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery of essential applications. All Exchange ties and attributes were usable, which accelerated the restore of Exchange. Progent was also able to assemble local OST files (Outlook Offline Folder Files) on staff workstations in order to recover mail messages. A recent offline backup of the customer's accounting/MRP systems made them able to restore these required programs back servicing users. Although a large amount of work needed to be completed to recover completely from the Ryuk damage, critical services were recovered quickly:


"For the most part, the production manufacturing operation never missed a beat and we delivered all customer shipments."

During the next month critical milestones in the restoration process were accomplished in close cooperation between Progent team members and the customer:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Exchange Server exceeding four million archived messages was spun up and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the desktops and laptops were fully operational.

"A huge amount of what transpired in the early hours is mostly a blur for me, but my team will not soon forget the dedication all of your team accomplished to give us our business back. I've trusted Progent for the past ten years, maybe more, and every time I needed help Progent has shined and delivered as promised. This time was a life saver."

Conclusion
A possible business disaster was avoided with results-oriented professionals, a wide range of knowledge, and close collaboration. Although in retrospect the ransomware virus attack described here would have been prevented with advanced cyber security technology solutions and security best practices, user training, and well designed incident response procedures for data protection and keeping systems up to date with security patches, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were contributing), I'm grateful for allowing me to get some sleep after we made it through the first week. Everyone did an amazing effort, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Boise a variety of online monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services include modern artificial intelligence technology to uncover zero-day strains of ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the complete malware attack progression including blocking, identification, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for urgent action. Progent's consultants can also help you to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and enable transparent backup and rapid restoration of critical files/folders, apps, images, and VMs. ProSight DPS helps you protect against data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, human error, malicious employees, or software glitches. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security vendors to provide centralized control and world-class protection for your inbound and outbound email. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your vulnerability to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of inspection for inbound email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, client computers and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration information of almost all devices connected to your network, monitors performance, and sends notices when potential issues are discovered. By automating tedious management activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, locating appliances that require important updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to help keep your IT system operating efficiently by tracking the state of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT management staff and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information about your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about impending expirations of SSL certificates or domains. By updating and managing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior-based machine learning tools to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-matching AV products. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to manage the complete threat progression including filtering, identification, mitigation, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Support Desk services allow your information technology group to offload Call Center services to Progent or split activity for support services seamlessly between your internal support team and Progent's extensive pool of IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless supplement to your core network support staff. End user interaction with the Service Desk, delivery of technical assistance, problem escalation, ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether issues are resolved by your in-house IT support organization, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of all sizes a flexible and affordable alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and functionality of your computer environment, Progent's patch management services permit your in-house IT team to focus on more strategic projects and activities that deliver the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Android, and other personal devices. Using 2FA, whenever you sign into a secured online account and give your password you are requested to verify who you are on a device that only you have and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be used for this added form of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate several verification devices. For details about Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time and in-depth reporting plug-ins created to integrate with the leading ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24-Hour Boise Crypto Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.