Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyberplague that represents an extinction-level danger for businesses vulnerable to an attack. Multiple generations of crypto-ransomware such as CrySIS, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent unnamed viruses, not only do encryption of on-line data but also infiltrate most configured system backup. Information replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, it can render automatic restoration useless and basically knocks the entire system back to zero.

Getting back on-line services and data following a crypto-ransomware outage becomes a race against time as the victim tries its best to contain and clear the ransomware and to resume enterprise-critical operations. Because crypto-ransomware requires time to move laterally, attacks are usually sprung at night, when attacks typically take more time to recognize. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified mitigation team.

Progent has a range of help services for protecting enterprises from ransomware events. These include team training to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with artificial intelligence technology from SentinelOne to discover and extinguish zero-day cyber threats automatically. Progent also provides the services of seasoned ransomware recovery consultants with the skills and commitment to rebuild a compromised environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware attack, paying the ransom in cryptocurrency does not provide any assurance that cyber criminals will respond with the needed codes to decrypt any of your information. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to re-install the critical components of your Information Technology environment. Without access to essential system backups, this calls for a wide range of IT skills, well-coordinated team management, and the ability to work 24x7 until the recovery project is finished.

For twenty years, Progent has provided expert Information Technology services for companies in Brighton and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of experience gives Progent the ability to knowledgably understand important systems and re-organize the surviving components of your computer network environment after a crypto-ransomware attack and rebuild them into a functioning system.

Progent's ransomware team utilizes top notch project management tools to coordinate the complex restoration process. Progent knows the importance of acting quickly and together with a customer's management and IT team members to assign priority to tasks and to get essential applications back online as soon as possible.

Client Story: A Successful Ransomware Incident Response
A small business contacted Progent after their network was brought down by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state cybercriminals, possibly using algorithms leaked from the United States NSA organization. Ryuk seeks specific businesses with limited room for disruption and is one of the most profitable versions of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing business located in Chicago with about 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the intrusion and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and wishfully thinking for the best, but in the end reached out to Progent.


"I can't speak enough about the help Progent provided us during the most critical time of (our) company's life. We would have paid the cyber criminals if it wasn't for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and production applications back in less than 1 week was something I thought impossible. Each person I talked with or communicated with at Progent was hell bent on getting my company operational and was working all day and night on our behalf."

Progent worked with the client to rapidly identify and prioritize the essential services that had to be addressed in order to resume departmental functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware event response best practices by isolating and performing virus removal steps. Progent then began the process of rebuilding Active Directory, the core of enterprise networks built on Microsoft Windows technology. Microsoft Exchange email will not operate without Windows AD, and the businesses' financials and MRP applications used Microsoft SQL Server, which needs Active Directory for access to the databases.

In less than two days, Progent was able to restore Active Directory to its pre-virus state. Progent then helped perform reinstallations and storage recovery of mission critical systems. All Exchange Server schema and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect local OST files (Outlook Email Offline Folder Files) on staff workstations and laptops in order to recover mail data. A recent off-line backup of the businesses financials/MRP software made them able to recover these vital services back available to users. Although a lot of work needed to be completed to recover completely from the Ryuk virus, critical systems were restored quickly:


"For the most part, the production operation did not miss a beat and we did not miss any customer shipments."

Over the next couple of weeks key milestones in the recovery process were accomplished in close cooperation between Progent team members and the client:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Exchange Server exceeding four million archived emails was brought online and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were 100% recovered.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Ninety percent of the user desktops and notebooks were back into operation.

"A lot of what occurred during the initial response is nearly entirely a blur for me, but I will not soon forget the countless hours each and every one of you accomplished to help get our company back. I have been working together with Progent for the past ten years, maybe more, and each time Progent has outperformed my expectations and delivered. This time was a testament to your capabilities."

Conclusion
A likely enterprise-killing catastrophe was dodged due to dedicated experts, a wide range of knowledge, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus penetration described here would have been stopped with advanced security solutions and best practices, user and IT administrator education, and properly executed incident response procedures for information protection and applying software patches, the reality remains that government-sponsored cyber criminals from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware penetration, remember that Progent's team of professionals has proven experience in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others that were contributing), thank you for allowing me to get some sleep after we made it through the initial push. All of you did an impressive job, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Brighton a variety of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services include modern machine learning capability to uncover new strains of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a unified platform to manage the entire threat progression including protection, identification, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified control. Progent's security and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup software companies to produce ProSight Data Protection Services (DPS), a family of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and allow transparent backup and fast recovery of important files, apps, images, plus VMs. ProSight DPS helps you avoid data loss resulting from hardware failures, natural disasters, fire, malware such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security companies to provide centralized management and world-class security for all your email traffic. The powerful architecture of Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and conserves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, monitor, reconfigure and troubleshoot their networking hardware such as routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating tedious management processes, ProSight WAN Watch can knock hours off ordinary tasks like network mapping, expanding your network, locating devices that need critical software patches, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system operating at peak levels by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management staff and your Progent consultant so any potential issues can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, retrieve and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can eliminate as much as 50% of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a unified platform to automate the entire threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Desk: Call Center Managed Services
    Progent's Help Desk services permit your IT group to offload Help Desk services to Progent or split activity for Help Desk services transparently between your in-house network support team and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth extension of your in-house support staff. End user access to the Service Desk, delivery of support, escalation, trouble ticket generation and updates, performance metrics, and management of the service database are consistent regardless of whether incidents are resolved by your internal support staff, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of any size a flexible and affordable alternative for evaluating, testing, scheduling, applying, and documenting updates to your dynamic information network. In addition to maximizing the security and reliability of your computer network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business projects and activities that derive the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. With 2FA, whenever you log into a protected online account and enter your password you are requested to confirm your identity via a device that only you have and that uses a different ("out-of-band") network channel. A broad selection of devices can be used for this added form of ID validation including a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate several verification devices. For details about Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time management reporting utilities designed to work with the industry's leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Brighton Crypto-Ransomware Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.