Ransomware : Your Crippling Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that represents an enterprise-level danger for businesses of all sizes unprepared for an attack. Versions of ransomware such as CrySIS, Fusob, Locky, NotPetya and MongoLock cryptoworms have been running rampant for many years and continue to cause destruction. Newer strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with frequent unnamed viruses, not only do encryption of online data files but also infiltrate all configured system protection. Files synched to the cloud can also be rendered useless. In a vulnerable data protection solution, this can make any recovery hopeless and effectively knocks the entire system back to zero.

Restoring applications and data after a ransomware event becomes a race against time as the targeted organization fights to contain and eradicate the crypto-ransomware and to resume enterprise-critical operations. Due to the fact that ransomware requires time to move laterally, assaults are usually sprung during weekends and nights, when penetrations may take longer to detect. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.

Progent provides a range of solutions for protecting enterprises from ransomware penetrations. Among these are staff training to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and quarantine new cyber threats automatically. Progent in addition offers the assistance of expert ransomware recovery consultants with the talent and commitment to restore a compromised network as quickly as possible.

Progent's Crypto-Ransomware Recovery Support Services
After a crypto-ransomware attack, sending the ransom demands in cryptocurrency does not ensure that distant criminals will provide the codes to decipher any or all of your information. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to setup from scratch the essential components of your Information Technology environment. Absent the availability of complete information backups, this requires a wide range of skills, top notch team management, and the willingness to work 24x7 until the recovery project is complete.

For decades, Progent has made available expert Information Technology services for companies in Brighton and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded top industry certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of experience affords Progent the capability to knowledgably understand important systems and consolidate the remaining parts of your network system following a ransomware attack and rebuild them into an operational network.

Progent's ransomware group deploys best of breed project management tools to coordinate the sophisticated recovery process. Progent appreciates the urgency of acting swiftly and in concert with a client's management and IT resources to assign priority to tasks and to get key services back online as fast as humanly possible.

Client Case Study: A Successful Ransomware Intrusion Restoration
A business engaged Progent after their network system was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting algorithms leaked from the United States National Security Agency. Ryuk seeks specific organizations with little ability to sustain disruption and is among the most profitable examples of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing company based in Chicago and has about 500 workers. The Ryuk attack had paralyzed all company operations and manufacturing capabilities. Most of the client's information backups had been directly accessible at the time of the attack and were encrypted. The client considered paying the ransom demand (more than $200K) and wishfully thinking for the best, but ultimately utilized Progent.


"I can�t tell you enough in regards to the expertise Progent gave us during the most critical period of (our) company�s life. We had little choice but to pay the cyber criminals if not for the confidence the Progent team provided us. The fact that you were able to get our messaging and key servers back on-line in less than one week was something I thought impossible. Each expert I worked with or texted at Progent was hell bent on getting my company operational and was working non-stop to bail us out."

Progent worked together with the customer to rapidly assess and prioritize the essential elements that needed to be restored in order to continue business operations:

  • Active Directory (AD)
  • Exchange Server
  • MRP System
To get going, Progent adhered to ransomware event mitigation industry best practices by stopping lateral movement and clearing up compromised systems. Progent then began the steps of restoring Microsoft AD, the key technology of enterprise networks built upon Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the businesses� financials and MRP applications utilized Microsoft SQL Server, which requires Active Directory for authentication to the information.

Within 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then initiated rebuilding and storage recovery of mission critical applications. All Microsoft Exchange Server schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Outlook Offline Data Files) on user workstations and laptops to recover mail messages. A recent offline backup of the businesses accounting software made them able to restore these vital services back available to users. Although a large amount of work still had to be done to recover totally from the Ryuk virus, essential services were restored rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer shipments."

Over the following couple of weeks important milestones in the restoration process were made in tight collaboration between Progent consultants and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than four million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory functions were 100% operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"Much of what was accomplished in the early hours is nearly entirely a blur for me, but my management will not forget the care each and every one of your team accomplished to help get our business back. I�ve trusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered as promised. This time was a testament to your capabilities."

Conclusion
A possible business extinction catastrophe was evaded by top-tier professionals, a wide array of technical expertise, and close teamwork. Although in retrospect the crypto-ransomware virus attack described here would have been identified and stopped with advanced security systems and recognized best practices, staff education, and properly executed incident response procedures for information backup and applying software patches, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus blocking, mitigation, and file restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for making it so I could get some sleep after we got past the most critical parts. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Brighton a range of remote monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation artificial intelligence capability to uncover zero-day strains of ransomware that are able to evade legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and provides a single platform to manage the entire malware attack progression including filtering, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, endpoint management, and web filtering via leading-edge technologies packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's unique requirements and that helps you prove compliance with legal and industry data security regulations. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also help you to install and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup software companies to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and allow transparent backup and rapid restoration of important files, applications, system images, and virtual machines. ProSight DPS lets your business recover from data loss caused by hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or software glitches. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security companies to deliver centralized control and world-class security for all your inbound and outbound email. The hybrid structure of Email Guard managed service integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a first line of defense and blocks most threats from making it to your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a deeper level of inspection for incoming email. For outgoing email, the on-premises gateway provides anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to diagram, track, optimize and debug their networking hardware such as routers, firewalls, and access points as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always updated, captures and manages the configuration of virtually all devices on your network, tracks performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding appliances that need critical updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your network operating at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT personnel and your assigned Progent consultant so that any looming issues can be addressed before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate up to 50% of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents required for managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT information. Whether youre planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior analysis technology to guard endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. Progent ASM services protect on-premises and cloud resources and provides a unified platform to manage the entire threat progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Support Desk managed services enable your IT staff to offload Call Center services to Progent or split responsibilities for support services transparently between your internal network support staff and Progent's nationwide pool of IT support engineers and subject matter experts. Progent's Shared Service Desk provides a seamless supplement to your corporate IT support team. Client access to the Service Desk, delivery of technical assistance, issue escalation, trouble ticket creation and updates, performance measurement, and maintenance of the support database are consistent whether incidents are resolved by your core network support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of all sizes a flexible and affordable alternative for evaluating, validating, scheduling, implementing, and documenting updates to your ever-evolving information network. In addition to optimizing the security and functionality of your computer environment, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and tasks that deliver maximum business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports one-tap identity verification with Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you log into a protected online account and give your password you are requested to verify your identity via a unit that only you have and that uses a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized for this second means of ID validation including a smartphone or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. For more information about Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.
For Brighton 24/7/365 Crypto Remediation Services, contact Progent at 800-462-8800 or go to Contact Progent.