Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyberplague that presents an extinction-level danger for businesses poorly prepared for an attack. Different versions of crypto-ransomware like the Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as more unnamed malware, not only do encryption of on-line critical data but also infect many accessible system restores and backups. Files synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can make any restore operations useless and effectively sets the network back to square one.

Restoring applications and data after a ransomware outage becomes a sprint against the clock as the targeted business struggles to stop lateral movement, cleanup the virus, and restore mission-critical activity. Due to the fact that ransomware takes time to spread, attacks are usually sprung during nights and weekends, when penetrations are likely to take longer to notice. This multiplies the difficulty of quickly assembling and organizing a capable response team.

Progent provides a range of solutions for securing businesses from ransomware penetrations. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security appliances with artificial intelligence technology from SentinelOne to discover and disable day-zero cyber threats automatically. Progent also offers the services of veteran ransomware recovery professionals with the talent and commitment to reconstruct a compromised network as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a crypto-ransomware invasion, sending the ransom demands in cryptocurrency does not guarantee that merciless criminals will provide the needed codes to decipher any of your information. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are commonly several hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The fallback is to re-install the vital elements of your Information Technology environment. Absent access to essential data backups, this requires a wide complement of skill sets, top notch team management, and the capability to work non-stop until the job is completed.

For decades, Progent has provided certified expert Information Technology services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-recognized certifications including CISA, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in financial management and ERP application software. This breadth of expertise affords Progent the skills to knowledgably identify necessary systems and re-organize the remaining components of your IT system following a ransomware attack and assemble them into an operational system.

Progent's security team has powerful project management applications to coordinate the sophisticated restoration process. Progent knows the importance of acting rapidly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to put essential services back online as fast as humanly possible.

Case Study: A Successful Ransomware Incident Restoration
A small business escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state cybercriminals, possibly using technology exposed from America's National Security Agency. Ryuk targets specific businesses with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in Chicago and has about 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the time of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding $200,000) and wishfully thinking for the best, but in the end called Progent.


"I can't say enough in regards to the care Progent gave us throughout the most critical period of (our) businesses life. We would have paid the Hackers if not for the confidence the Progent team afforded us. That you were able to get our e-mail system and production servers back online sooner than five days was something I thought impossible. Every single staff member I got help from or texted at Progent was laser focused on getting my company operational and was working non-stop on our behalf."

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the most important applications that had to be addressed to make it possible to resume company operations:

  • Windows Active Directory
  • E-Mail
  • MRP System
To start, Progent followed ransomware incident response industry best practices by halting lateral movement and removing active viruses. Progent then initiated the task of restoring Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businesses' financials and MRP system leveraged SQL Server, which requires Windows AD for access to the database.

In less than 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then assisted with setup and storage recovery of needed servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST files (Outlook Off-Line Data Files) on team workstations to recover email information. A recent off-line backup of the client's manufacturing systems made it possible to return these vital programs back online for users. Although a large amount of work remained to recover totally from the Ryuk attack, the most important systems were returned to operations quickly:


"For the most part, the production line operation never missed a beat and we produced all customer sales."

During the next few weeks important milestones in the restoration process were accomplished through close collaboration between Progent consultants and the customer:

  • Self-hosted web applications were brought back up with no loss of information.
  • The MailStore Server exceeding four million archived messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory Control functions were 100% functional.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Most of the desktop computers were being used by staff.

"So much of what occurred during the initial response is mostly a haze for me, but my team will not forget the commitment all of your team put in to help get our company back. I've trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A likely business-ending catastrophe was avoided by hard-working professionals, a broad spectrum of subject matter expertise, and close teamwork. Although in retrospect the crypto-ransomware attack detailed here would have been blocked with advanced cyber security systems and security best practices, user education, and well thought out incident response procedures for information backup and applying software patches, the fact is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for making it so I could get some sleep after we made it over the first week. Everyone did an impressive job, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Broomfield a variety of online monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services incorporate next-generation AI capability to uncover new variants of ransomware that can get past legacy signature-based security products.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management staff and your assigned Progent consultant so that any looming issues can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Desktops
    ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-based solution for managing your client-server infrastructure by providing an environment for performing common time-consuming tasks. These can include health monitoring, patch management, automated remediation, endpoint configuration, backup and recovery, anti-virus response, remote access, built-in and custom scripts, asset inventory, endpoint profile reports, and debugging support. If ProSight LAN Watch with NinjaOne RMM uncovers a serious issue, it transmits an alert to your designated IT personnel and your assigned Progent technical consultant so potential problems can be taken care of before they impact productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring services.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map, track, reconfigure and debug their connectivity hardware like routers and switches, firewalls, and load balancers as well as servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, expanding your network, finding appliances that need important updates, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time reporting tools designed to work with the leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable transparent backup and rapid recovery of critical files, apps, system images, plus virtual machines. ProSight DPS lets you protect against data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, human error, malicious insiders, or application glitches. Managed services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security companies to provide centralized management and comprehensive protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and keeps most threats from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage. Email Guard's onsite gateway device provides a deeper layer of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity verification with Apple iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a protected online account and give your password you are asked to verify your identity via a device that only you possess and that uses a different network channel. A broad range of out-of-band devices can be used as this added form of ID validation such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can register several verification devices. For more information about Duo identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Help Desk services allow your IT staff to outsource Call Center services to Progent or divide responsibilities for Service Desk support transparently between your internal network support group and Progent's extensive roster of IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your internal IT support group. End user interaction with the Service Desk, provision of technical assistance, escalation, ticket creation and tracking, efficiency measurement, and maintenance of the service database are consistent regardless of whether issues are resolved by your corporate network support group, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior analysis technology to defend endpoint devices and physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. Progent ASM services safeguard local and cloud-based resources and provides a single platform to address the complete malware attack lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key features include single-click rollback using Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ransomware defense and cleanup services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can save as much as 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer organizations of any size a flexible and affordable alternative for assessing, testing, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. In addition to maximizing the security and reliability of your IT environment, Progent's patch management services permit your in-house IT staff to concentrate on line-of-business initiatives and tasks that derive maximum business value from your network. Find out more about Progent's software/firmware update management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system platforms, and the apps. Since the system is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services offer ultra-affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your organization's unique requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
For Broomfield 24-Hour Crypto Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.