Crypto-Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and continue to cause destruction. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus more unnamed viruses, not only do encryption of on-line files but also infect all available system protection. Information synched to cloud environments can also be corrupted. In a vulnerable data protection solution, it can render any restore operations hopeless and basically knocks the datacenter back to square one.

Retrieving programs and information following a ransomware intrusion becomes a sprint against the clock as the targeted business struggles to contain the damage and eradicate the crypto-ransomware and to resume business-critical operations. Since crypto-ransomware needs time to move laterally, attacks are often launched at night, when attacks are likely to take more time to uncover. This multiplies the difficulty of quickly marshalling and organizing a capable mitigation team.

Progent makes available a range of solutions for protecting businesses from ransomware events. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of the latest generation security appliances with machine learning capabilities from SentinelOne to identify and disable new threats rapidly. Progent also offers the services of experienced ransomware recovery engineers with the skills and commitment to rebuild a breached system as rapidly as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decipher all your data. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to setup from scratch the critical components of your Information Technology environment. Without access to full information backups, this calls for a wide complement of IT skills, top notch project management, and the ability to work 24x7 until the job is finished.

For decades, Progent has made available expert IT services for companies in Broomfield and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have been awarded high-level certifications in foundation technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience affords Progent the skills to knowledgably understand critical systems and re-organize the remaining parts of your computer network environment after a ransomware event and rebuild them into an operational network.

Progent's ransomware group utilizes state-of-the-art project management tools to coordinate the complex recovery process. Progent understands the urgency of working quickly and together with a client's management and IT resources to prioritize tasks and to put the most important systems back on line as fast as possible.

Business Case Study: A Successful Ransomware Incident Recovery
A business contacted Progent after their company was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state criminal gangs, possibly adopting techniques exposed from America�s NSA organization. Ryuk seeks specific companies with limited ability to sustain operational disruption and is among the most lucrative incarnations of ransomware viruses. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business located in Chicago and has around 500 workers. The Ryuk attack had disabled all essential operations and manufacturing processes. Most of the client's data backups had been on-line at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and hoping for the best, but in the end made the decision to use Progent.


"I can�t say enough about the expertise Progent provided us throughout the most critical period of (our) company�s life. We most likely would have paid the Hackers if it wasn�t for the confidence the Progent experts provided us. The fact that you were able to get our e-mail and critical applications back on-line faster than five days was earth shattering. Every single expert I interacted with or texted at Progent was amazingly focused on getting us back on-line and was working non-stop on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the critical elements that had to be addressed in order to restart business functions:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware incident response industry best practices by halting the spread and clearing up compromised systems. Progent then initiated the steps of recovering Microsoft Active Directory, the foundation of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not function without Windows AD, and the customer�s MRP applications used Microsoft SQL Server, which needs Windows AD for access to the databases.

In less than two days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then helped perform rebuilding and storage recovery of needed systems. All Microsoft Exchange Server data and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect local OST data files (Outlook Email Offline Data Files) on various workstations in order to recover email data. A recent off-line backup of the customer�s financials/MRP software made them able to restore these essential programs back online for users. Although a lot of work needed to be completed to recover fully from the Ryuk attack, essential services were returned to operations quickly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer deliverables."

Over the following couple of weeks key milestones in the recovery project were made in tight collaboration between Progent team members and the client:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory modules were fully operational.
  • A new Palo Alto 850 firewall was brought online.
  • Nearly all of the user workstations were fully operational.

"Much of what transpired in the initial days is mostly a blur for me, but my team will not soon forget the commitment each and every one of the team put in to give us our company back. I have been working together with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This event was the most impressive ever."

Conclusion
A probable business disaster was avoided due to top-tier experts, a wide array of IT skills, and close teamwork. Although in hindsight the ransomware attack detailed here would have been stopped with advanced security technology and security best practices, user training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware attack, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thanks very much for allowing me to get rested after we made it through the first week. Everyone did an incredible job, and if anyone is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Broomfield a range of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services incorporate modern AI capability to detect new variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a unified platform to automate the entire threat lifecycle including protection, detection, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your organization's unique requirements and that allows you demonstrate compliance with government and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also assist you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and allow non-disruptive backup and fast recovery of vital files/folders, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss caused by equipment breakdown, natural disasters, fire, malware such as ransomware, human mistakes, malicious employees, or application bugs. Managed backup services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to deliver web-based management and world-class protection for your inbound and outbound email. The powerful structure of Email Guard combines cloud-based filtering with an on-premises security gateway device to provide complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of inspection for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to map out, monitor, enhance and debug their networking hardware like switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and generates notices when potential issues are discovered. By automating tedious network management processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding appliances that require critical software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT personnel and your Progent engineering consultant so that any potential problems can be addressed before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether youre making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based machine learning tools to guard endpoints as well as servers and VMs against modern malware assaults such as ransomware and email phishing, which easily escape legacy signature-matching AV products. Progent Active Security Monitoring services protect local and cloud resources and offers a single platform to address the entire threat progression including protection, detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Center: Help Desk Managed Services
    Progent's Help Desk managed services permit your IT group to offload Call Center services to Progent or split activity for Help Desk services seamlessly between your in-house support resources and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Shared Service Desk offers a smooth extension of your in-house support team. End user interaction with the Service Desk, delivery of support, problem escalation, trouble ticket creation and updates, performance metrics, and maintenance of the service database are cohesive whether issues are taken care of by your in-house IT support organization, by Progent's team, or both. Learn more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of all sizes a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. Besides maximizing the security and functionality of your IT network, Progent's software/firmware update management services allow your IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo enables one-tap identity verification on Apple iOS, Android, and other personal devices. Using 2FA, whenever you sign into a protected application and give your password you are requested to verify who you are on a unit that only you possess and that uses a separate network channel. A wide selection of out-of-band devices can be used as this second means of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple verification devices. For more information about ProSight Duo identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 Broomfield Ransomware Removal Services, call Progent at 800-462-8800 or go to Contact Progent.