Ransomware : Your Crippling Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that represents an enterprise-level danger for businesses poorly prepared for an assault. Versions of ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still inflict havoc. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, as well as frequent as yet unnamed viruses, not only encrypt on-line files but also infect most accessible system protection mechanisms. Information synchronized to the cloud can also be corrupted. In a poorly architected data protection solution, it can render any restore operations useless and effectively knocks the entire system back to zero.

Getting back online services and information after a ransomware intrusion becomes a sprint against the clock as the targeted organization struggles to stop lateral movement and clear the ransomware and to restore mission-critical activity. Due to the fact that ransomware requires time to replicate, attacks are frequently sprung on weekends, when successful penetrations are likely to take more time to discover. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.

Progent has an assortment of services for protecting businesses from ransomware penetrations. These include team training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of the latest generation security appliances with artificial intelligence technology from SentinelOne to detect and suppress new cyber attacks rapidly. Progent also offers the services of seasoned ransomware recovery engineers with the track record and commitment to rebuild a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
Following a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed keys to unencrypt any or all of your files. Kaspersky determined that seventeen percent of crypto-ransomware victims never restored their data even after having paid the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to re-install the critical elements of your IT environment. Absent the availability of complete data backups, this requires a broad complement of skills, well-coordinated project management, and the capability to work continuously until the task is completed.

For decades, Progent has offered expert Information Technology services for businesses in Cambridge and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have earned internationally-recognized certifications including CISA, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial systems and ERP application software. This breadth of expertise affords Progent the skills to knowledgably determine necessary systems and re-organize the surviving pieces of your IT environment after a ransomware attack and configure them into an operational network.

Progent's ransomware team uses powerful project management systems to coordinate the complicated recovery process. Progent understands the importance of acting quickly and in unison with a client's management and IT team members to assign priority to tasks and to put the most important systems back on-line as soon as possible.

Client Story: A Successful Ransomware Virus Recovery
A client sought out Progent after their organization was attacked by the Ryuk crypto-ransomware. Ryuk is believed to have been developed by Northern Korean state sponsored cybercriminals, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in Chicago and has about 500 workers. The Ryuk event had shut down all essential operations and manufacturing processes. Most of the client's information backups had been directly accessible at the time of the attack and were eventually encrypted. The client considered paying the ransom demand (in excess of $200,000) and hoping for good luck, but in the end utilized Progent.


"I cannot speak enough about the help Progent provided us throughout the most stressful time of (our) businesses life. We would have paid the cyber criminals behind the attack if it wasn�t for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and production applications back on-line quicker than one week was amazing. Every single consultant I spoke to or texted at Progent was laser focused on getting us back on-line and was working all day and night to bail us out."

Progent worked together with the customer to rapidly assess and assign priority to the most important services that had to be restored to make it possible to resume departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent followed Anti-virus event mitigation best practices by stopping lateral movement and disinfecting systems. Progent then began the process of rebuilding Active Directory, the key technology of enterprise systems built on Microsoft Windows technology. Exchange email will not function without Active Directory, and the customer�s MRP system leveraged Microsoft SQL, which needs Windows AD for authentication to the data.

In less than 2 days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then charged ahead with rebuilding and storage recovery of needed applications. All Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to find intact OST files (Microsoft Outlook Offline Data Files) on various desktop computers and laptops to recover email information. A not too old off-line backup of the customer�s accounting software made it possible to return these vital programs back available to users. Although major work still had to be done to recover totally from the Ryuk event, core systems were restored rapidly:


"For the most part, the production line operation showed little impact and we produced all customer orders."

During the next couple of weeks critical milestones in the restoration project were accomplished through tight cooperation between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Server containing more than four million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory functions were 100% recovered.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Most of the desktop computers were back into operation.

"A huge amount of what occurred that first week is mostly a fog for me, but our team will not forget the care all of the team put in to give us our company back. I have been working with Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A possible business extinction catastrophe was averted through the efforts of results-oriented professionals, a wide spectrum of IT skills, and tight teamwork. Although in hindsight the ransomware virus attack described here could have been identified and blocked with advanced security systems and ISO/IEC 27001 best practices, user and IT administrator education, and well thought out security procedures for data protection and applying software patches, the reality is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), I�m grateful for letting me get some sleep after we made it through the initial fire. Everyone did an incredible job, and if any of your guys is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Cambridge a variety of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services include modern machine learning capability to uncover zero-day strains of ransomware that are able to evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to automate the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical and virtual servers, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP provides firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge technologies incorporated within one agent managed from a unified control. Progent's security and virtualization consultants can help your business to plan and configure a ProSight ESP environment that addresses your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for urgent attention. Progent can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup technology providers to create ProSight Data Protection Services, a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and track your data backup operations and allow non-disruptive backup and rapid recovery of critical files, apps, images, plus VMs. ProSight DPS lets your business recover from data loss resulting from hardware failures, natural disasters, fire, cyber attacks like ransomware, user error, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight Data Protection Services product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading data security vendors to deliver web-based control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the local security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, monitor, optimize and troubleshoot their networking appliances such as routers and switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always current, copies and manages the configuration of virtually all devices on your network, monitors performance, and generates alerts when issues are discovered. By automating tedious network management processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that need critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to help keep your network running efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT staff and your assigned Progent engineering consultant so all potential problems can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and safeguard data about your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can save up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether youre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis tools to guard endpoints and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. Progent ASM services safeguard local and cloud resources and offers a unified platform to manage the entire threat lifecycle including filtering, detection, containment, cleanup, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Call Desk services allow your IT staff to outsource Help Desk services to Progent or divide responsibilities for Help Desk services transparently between your in-house support staff and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless supplement to your internal support group. End user interaction with the Help Desk, delivery of support services, problem escalation, ticket generation and updates, efficiency measurement, and maintenance of the service database are cohesive regardless of whether issues are taken care of by your core network support organization, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT system. Besides maximizing the security and functionality of your IT environment, Progent's patch management services permit your in-house IT team to concentrate on line-of-business projects and activities that deliver the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you log into a secured application and enter your password you are asked to confirm who you are on a device that only you have and that uses a different network channel. A broad selection of out-of-band devices can be used as this second form of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You can register several validation devices. To find out more about Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Cambridge 24-7 Ransomware Recovery Experts, call Progent at 800-462-8800 or go to Contact Progent.