Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyberplague that poses an enterprise-level threat for businesses of all sizes unprepared for an assault. Versions of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and still cause havoc. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus frequent as yet unnamed malware, not only do encryption of on-line information but also infect all configured system restores and backups. Information synched to cloud environments can also be corrupted. In a poorly architected data protection solution, this can make automatic restore operations impossible and basically knocks the network back to zero.

Retrieving programs and data following a crypto-ransomware attack becomes a race against the clock as the targeted organization tries its best to contain, cleanup the crypto-ransomware, and restore mission-critical activity. Due to the fact that ransomware needs time to replicate, assaults are frequently sprung on weekends, when penetrations may take more time to identify. This multiplies the difficulty of quickly marshalling and coordinating a qualified response team.

Progent makes available a range of support services for protecting enterprises from ransomware penetrations. These include staff education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security appliances with AI technology from SentinelOne to detect and quarantine zero-day cyber threats intelligently. Progent in addition offers the assistance of seasoned ransomware recovery engineers with the talent and perseverance to re-deploy a compromised network as urgently as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a ransomware penetration, even paying the ransom demands in cryptocurrency does not guarantee that distant criminals will provide the needed keys to decrypt any of your information. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom demand can reach millions. The alternative is to piece back together the essential parts of your IT environment. Without access to essential data backups, this requires a broad complement of skills, top notch team management, and the capability to work non-stop until the job is completed.

For two decades, Progent has offered professional Information Technology services for businesses throughout the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have earned top industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise with financial systems and ERP applications. This breadth of expertise gives Progent the skills to rapidly determine critical systems and integrate the remaining parts of your Information Technology environment after a ransomware penetration and assemble them into an operational system.

Progent's recovery group deploys powerful project management tools to orchestrate the complicated restoration process. Progent understands the urgency of working rapidly and together with a client's management and Information Technology staff to prioritize tasks and to get critical services back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Penetration Recovery
A business engaged Progent after their network system was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored cybercriminals, suspected of using techniques exposed from America's NSA organization. Ryuk goes after specific organizations with little or no tolerance for operational disruption and is among the most lucrative examples of ransomware viruses. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with around 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the beginning of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (in excess of $200K) and wishfully thinking for the best, but in the end called Progent.


"I cannot thank you enough in regards to the expertise Progent provided us during the most stressful time of (our) businesses existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent team provided us. The fact that you were able to get our e-mail and essential servers back sooner than 1 week was something I thought impossible. Every single person I talked with or messaged at Progent was totally committed on getting us back online and was working all day and night to bail us out."

Progent worked together with the client to quickly understand and assign priority to the essential systems that needed to be addressed in order to continue company operations:

  • Microsoft Active Directory
  • Exchange Server
  • MRP System
To start, Progent followed ransomware incident response best practices by halting lateral movement and cleaning up infected systems. Progent then began the task of bringing back online Microsoft Active Directory, the key technology of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customer's MRP system utilized Microsoft SQL, which needs Windows AD for authentication to the information.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-virus state. Progent then assisted with rebuilding and hard drive recovery on the most important systems. All Exchange data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to locate local OST files (Outlook Offline Data Files) on user PCs in order to recover email information. A not too old off-line backup of the client's accounting systems made them able to return these essential programs back available to users. Although significant work needed to be completed to recover totally from the Ryuk attack, core services were restored rapidly:


"For the most part, the production operation showed little impact and we delivered all customer shipments."

Over the next month critical milestones in the recovery process were completed in close collaboration between Progent engineers and the customer:

  • In-house web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived emails was brought online and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory capabilities were fully operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Most of the user desktops and notebooks were operational.

"A lot of what occurred in the early hours is nearly entirely a blur for me, but I will not forget the dedication each and every one of the team accomplished to give us our business back. I have been working with Progent for the past 10 years, possibly more, and every time Progent has come through and delivered. This situation was the most impressive ever."

Conclusion
A potential business-ending disaster was avoided with top-tier professionals, a wide array of technical expertise, and tight collaboration. Although in hindsight the crypto-ransomware virus attack detailed here should have been identified and blocked with advanced cyber security solutions and ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for information backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's team of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), thank you for making it so I could get rested after we made it past the initial push. Everyone did an impressive effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Cabo Frio a portfolio of remote monitoring and security assessment services designed to help you to minimize your vulnerability to ransomware. These services include next-generation AI capability to detect zero-day variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running at peak levels by checking the state of critical assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management personnel and your Progent consultant so that any looming problems can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software offers a centralized, cloud-based platform for managing your client-server infrastructure by offering an environment for streamlining common tedious jobs. These can include health monitoring, update management, automated repairs, endpoint configuration, backup and restore, anti-virus protection, remote access, standard and custom scripts, resource inventory, endpoint status reporting, and troubleshooting support. If ProSight LAN Watch with NinjaOne RMM spots a serious problem, it transmits an alarm to your designated IT management staff and your Progent consultant so that emerging issues can be fixed before they interfere with productivity. Find out more details about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring services.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to diagram, monitor, optimize and debug their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network maps are always current, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when problems are discovered. By automating time-consuming network management processes, WAN Watch can cut hours off ordinary chores such as making network diagrams, reconfiguring your network, finding appliances that require critical software patches, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time and in-depth reporting tools created to integrate with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues like spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with leading backup software companies to create ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your backup processes and allow transparent backup and fast recovery of critical files/folders, applications, images, and virtual machines. ProSight DPS helps you recover from data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or software bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can assist you to identify which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security vendors to provide web-based control and comprehensive protection for all your email traffic. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter serves as a first line of defense and blocks most unwanted email from reaching your security perimeter. This decreases your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance provides a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to track and safeguard internal email that originates and ends inside your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication services utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a secured online account and give your password you are requested to confirm your identity via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized as this second means of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You can register multiple verification devices. For details about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.

  • Progent's Outsourced/Shared Call Desk: Call Center Managed Services
    Progent's Help Desk services allow your information technology team to outsource Call Center services to Progent or divide responsibilities for Help Desk services seamlessly between your in-house network support resources and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless extension of your corporate network support group. End user interaction with the Service Desk, provision of technical assistance, escalation, ticket generation and tracking, performance metrics, and management of the service database are cohesive regardless of whether issues are taken care of by your in-house IT support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Service Center services.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to defend endpoints and physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching AV tools. Progent ASM services protect on-premises and cloud resources and provides a unified platform to manage the complete threat progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and organizing your IT infrastructure documentation, you can save as much as half of time spent searching for critical information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning improvements, performing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of all sizes a flexible and affordable solution for evaluating, validating, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the security and reliability of your IT network, Progent's patch management services free up time for your in-house IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Find out more about Progent's patch management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware solution without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware attacks such as ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a single platform to address the complete malware attack progression including protection, identification, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering via cutting-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that meets your company's unique requirements and that helps you demonstrate compliance with government and industry data security standards. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for urgent action. Progent can also help your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.
For 24-Hour Cabo Frio Crypto Removal Support Services, call Progent at 800-462-8800 or go to Contact Progent.