Ransomware : Your Worst IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an enterprise-level danger for businesses unprepared for an attack. Multiple generations of crypto-ransomware such as CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still inflict damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with frequent unnamed viruses, not only do encryption of on-line critical data but also infiltrate all available system protection. Data replicated to the cloud can also be encrypted. In a poorly architected system, this can render automated restoration useless and effectively sets the network back to square one.

Getting back programs and information following a crypto-ransomware attack becomes a sprint against the clock as the victim fights to stop lateral movement and remove the virus and to resume enterprise-critical activity. Due to the fact that ransomware requires time to replicate, attacks are often launched at night, when successful penetrations are likely to take longer to uncover. This compounds the difficulty of quickly assembling and organizing a knowledgeable mitigation team.

Progent provides a range of solutions for securing organizations from ransomware attacks. Among these are user education to become familiar with and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of next-generation security solutions with AI capabilities from SentinelOne to discover and suppress zero-day cyber threats automatically. Progent in addition provides the assistance of veteran ransomware recovery professionals with the track record and commitment to reconstruct a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that criminal gangs will provide the needed keys to decipher all your data. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files after having paid the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to re-install the essential parts of your IT environment. Without access to complete information backups, this requires a wide range of skill sets, professional project management, and the willingness to work 24x7 until the job is complete.

For two decades, Progent has provided certified expert Information Technology services for businesses in Bristol and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise affords Progent the ability to quickly ascertain important systems and organize the surviving components of your network environment following a ransomware penetration and rebuild them into a functioning network.

Progent's security group uses state-of-the-art project management applications to coordinate the complicated recovery process. Progent appreciates the urgency of acting quickly and in concert with a client's management and IT resources to assign priority to tasks and to get essential applications back on-line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Recovery
A small business engaged Progent after their network system was penetrated by Ryuk ransomware. Ryuk is believed to have been launched by Northern Korean state cybercriminals, suspected of adopting approaches exposed from America's National Security Agency. Ryuk targets specific organizations with little room for operational disruption and is one of the most profitable instances of crypto-ransomware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing company located in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had disabled all company operations and manufacturing processes. The majority of the client's data protection had been on-line at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200,000) and praying for the best, but ultimately called Progent.


"I can't tell you enough about the help Progent gave us throughout the most critical period of (our) company's life. We most likely would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent experts afforded us. The fact that you could get our e-mail and critical applications back on-line sooner than five days was incredible. Every single expert I talked with or communicated with at Progent was hell bent on getting our system up and was working day and night on our behalf."

Progent worked together with the customer to rapidly assess and assign priority to the critical areas that had to be restored to make it possible to restart company functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware penetration response best practices by stopping the spread and cleaning up infected systems. Progent then began the process of bringing back online Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows technology. Microsoft Exchange messaging will not operate without AD, and the customer's MRP applications used Microsoft SQL Server, which requires Windows AD for authentication to the data.

In less than 2 days, Progent was able to rebuild Windows Active Directory to its pre-penetration state. Progent then initiated reinstallations and storage recovery of essential systems. All Exchange ties and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to find non-encrypted OST data files (Microsoft Outlook Offline Folder Files) on user PCs in order to recover mail data. A not too old off-line backup of the client's accounting/ERP software made it possible to restore these essential applications back available to users. Although significant work needed to be completed to recover completely from the Ryuk attack, essential services were restored quickly:


"For the most part, the production operation ran fairly normal throughout and we produced all customer deliverables."

Throughout the following month key milestones in the restoration project were accomplished through tight cooperation between Progent consultants and the client:

  • In-house web applications were restored without losing any data.
  • The MailStore Exchange Server containing more than four million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the user workstations were fully operational.

"A huge amount of what occurred in the early hours is mostly a fog for me, but our team will not forget the countless hours each of you put in to help get our company back. I've entrusted Progent for the past ten years, possibly more, and each time Progent has shined and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A probable business-ending catastrophe was evaded by hard-working experts, a wide spectrum of knowledge, and close collaboration. Although upon completion of forensics the ransomware attack detailed here would have been identified and prevented with advanced security technology and recognized best practices, staff training, and appropriate security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for making it so I could get rested after we got over the initial fire. Everyone did an amazing effort, and if anyone is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Bristol a range of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence technology to uncover zero-day variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a unified platform to automate the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single control. Progent's security and virtualization experts can assist your business to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry information protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup/restore software providers to create ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and enable non-disruptive backup and fast recovery of important files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss caused by equipment breakdown, natural disasters, fire, malware like ransomware, human mistakes, malicious employees, or software glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top data security vendors to provide web-based control and world-class security for all your inbound and outbound email. The powerful structure of Email Guard managed service combines a Cloud Protection Layer with a local gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the local security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller businesses to map, monitor, optimize and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept current, captures and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when potential issues are discovered. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that need critical updates, or identifying the cause of performance problems. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to help keep your network operating efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management staff and your assigned Progent engineering consultant so any potential problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be ported easily to a different hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time wasted searching for critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network like recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior analysis technology to defend endpoint devices as well as servers and VMs against new malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to address the complete malware attack lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Help Center services enable your IT team to outsource Call Center services to Progent or split activity for support services transparently between your in-house network support team and Progent's extensive pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless extension of your in-house support team. Client access to the Service Desk, provision of support, problem escalation, ticket creation and tracking, performance measurement, and management of the service database are cohesive whether issues are resolved by your in-house network support staff, by Progent's team, or both. Read more about Progent's outsourced/shared Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and affordable solution for assessing, testing, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. In addition to optimizing the protection and reliability of your computer network, Progent's patch management services permit your IT team to concentrate on line-of-business projects and activities that deliver maximum business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you log into a protected online account and give your password you are requested to confirm who you are via a unit that only you possess and that uses a different network channel. A broad selection of devices can be utilized for this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register multiple validation devices. To find out more about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time and in-depth reporting plug-ins created to integrate with the leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Bristol Crypto-Ransomware Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.