Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a too-frequent cyberplague that poses an extinction-level danger for businesses of all sizes unprepared for an assault. Different versions of ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and still inflict destruction. The latest variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus daily as yet unnamed malware, not only do encryption of on-line data but also infect all configured system backup. Information synched to the cloud can also be encrypted. In a poorly architected environment, it can render automatic recovery impossible and effectively sets the datacenter back to square one.

Getting back online programs and information following a ransomware intrusion becomes a sprint against time as the targeted business struggles to contain the damage and cleanup the virus and to resume enterprise-critical operations. Since crypto-ransomware requires time to move laterally, assaults are frequently sprung during weekends and nights, when successful penetrations may take longer to recognize. This multiplies the difficulty of promptly assembling and coordinating a knowledgeable mitigation team.

Progent offers an assortment of support services for protecting businesses from ransomware penetrations. Among these are team training to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with machine learning capabilities from SentinelOne to identify and extinguish new cyber attacks rapidly. Progent in addition offers the assistance of veteran ransomware recovery professionals with the track record and commitment to rebuild a compromised system as rapidly as possible.

Progent's Crypto-Ransomware Restoration Help
Subsequent to a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed keys to decrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the critical elements of your IT environment. Without the availability of complete system backups, this calls for a broad complement of skill sets, top notch project management, and the ability to work non-stop until the task is over.

For decades, Progent has provided certified expert IT services for companies in Cambridge and throughout the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded top industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise gives Progent the capability to efficiently determine important systems and consolidate the surviving components of your network environment following a crypto-ransomware event and rebuild them into a functioning system.

Progent's security team deploys top notch project management systems to coordinate the sophisticated restoration process. Progent understands the urgency of working swiftly and together with a customer's management and Information Technology staff to prioritize tasks and to put essential systems back on line as fast as humanly possible.

Client Story: A Successful Ransomware Virus Recovery
A business sought out Progent after their organization was brought down by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean state sponsored criminal gangs, suspected of adopting algorithms exposed from the U.S. National Security Agency. Ryuk attacks specific businesses with little ability to sustain operational disruption and is among the most lucrative instances of ransomware malware. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing business based in the Chicago metro area with about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for good luck, but in the end engaged Progent.


"I can't say enough about the care Progent provided us throughout the most fearful time of (our) company's life. We may have had to pay the cyber criminals if it wasn't for the confidence the Progent group provided us. That you could get our e-mail system and critical applications back faster than 1 week was beyond my wildest dreams. Each expert I spoke to or messaged at Progent was totally committed on getting us back online and was working all day and night on our behalf."

Progent worked together with the client to quickly determine and assign priority to the essential areas that had to be restored in order to restart business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To get going, Progent adhered to ransomware incident mitigation best practices by halting lateral movement and removing active viruses. Progent then initiated the task of bringing back online Active Directory, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange messaging will not function without Windows AD, and the client's MRP system used SQL Server, which depends on Windows AD for authentication to the data.

Within 48 hours, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then performed rebuilding and storage recovery on critical servers. All Microsoft Exchange Server schema and attributes were usable, which accelerated the restore of Exchange. Progent was also able to find local OST data files (Microsoft Outlook Off-Line Data Files) on various desktop computers in order to recover mail data. A recent offline backup of the client's accounting/MRP software made them able to return these vital programs back online for users. Although a lot of work remained to recover completely from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer sales."

Over the next couple of weeks important milestones in the restoration process were achieved through tight collaboration between Progent engineers and the client:

  • Self-hosted web applications were restored with no loss of information.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory functions were completely recovered.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the user desktops were fully operational.

"So much of what happened those first few days is nearly entirely a haze for me, but we will not forget the dedication each of your team accomplished to give us our business back. I've trusted Progent for the past ten years, maybe more, and each time I needed help Progent has come through and delivered. This event was a stunning achievement."

Conclusion
A potential business extinction disaster was dodged by hard-working experts, a broad range of knowledge, and tight collaboration. Although in retrospect the ransomware virus attack detailed here would have been identified and prevented with current cyber security systems and recognized best practices, user education, and well designed security procedures for data protection and proper patching controls, the fact is that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has a proven track record in crypto-ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we made it over the first week. All of you did an impressive effort, and if anyone is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Cambridge a range of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI capability to uncover new variants of crypto-ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-based AV products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection services deliver affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alarms, device management, and web filtering via cutting-edge technologies incorporated within one agent managed from a single console. Progent's security and virtualization consultants can assist your business to design and configure a ProSight ESP environment that meets your company's specific needs and that allows you demonstrate compliance with legal and industry information security standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for urgent attention. Progent's consultants can also assist you to install and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup technology providers to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and enable non-disruptive backup and rapid recovery of critical files, apps, images, plus virtual machines. ProSight DPS lets your business recover from data loss caused by equipment breakdown, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of top information security vendors to deliver web-based control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway appliance to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of analysis for inbound email. For outgoing email, the on-premises gateway offers AV and anti-spam filtering, protection against data leaks, and email encryption. The onsite security gateway can also help Exchange Server to track and protect internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller organizations to map, track, optimize and debug their networking appliances like routers and switches, firewalls, and access points as well as servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network diagrams are always current, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding devices that need critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your IT system running at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your specified IT management staff and your assigned Progent engineering consultant so that all potential issues can be addressed before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to a different hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save as much as half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior machine learning tools to guard endpoint devices and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely get by traditional signature-based AV products. Progent ASM services safeguard on-premises and cloud resources and offers a unified platform to manage the complete malware attack lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Call Center managed services permit your information technology staff to outsource Call Center services to Progent or divide activity for support services seamlessly between your in-house network support group and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a seamless extension of your in-house network support staff. User access to the Service Desk, delivery of technical assistance, issue escalation, ticket creation and updates, performance metrics, and management of the support database are cohesive whether issues are taken care of by your corporate network support resources, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of all sizes a versatile and affordable solution for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. Besides optimizing the protection and functionality of your IT environment, Progent's software/firmware update management services permit your IT team to focus on more strategic initiatives and tasks that derive the highest business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With 2FA, whenever you sign into a protected application and enter your password you are requested to confirm your identity via a unit that only you have and that uses a different network channel. A wide range of devices can be utilized for this second means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register several verification devices. For details about Duo identity validation services, see Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of in-depth management reporting plug-ins created to integrate with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Cambridge 24/7 Crypto-Ransomware Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.