Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for businesses unprepared for an attack. Multiple generations of ransomware such as CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for many years and still cause havoc. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, as well as additional as yet unnamed viruses, not only encrypt online data but also infiltrate many accessible system backup. Information synched to the cloud can also be held hostage. In a poorly architected system, it can render automatic restoration hopeless and basically knocks the entire system back to square one.

Getting back services and information following a crypto-ransomware outage becomes a sprint against the clock as the victim tries its best to contain, cleanup the ransomware, and restore business-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are usually launched during weekends and nights, when penetrations typically take longer to uncover. This compounds the difficulty of quickly mobilizing and coordinating an experienced mitigation team.

Progent offers a range of help services for protecting enterprises from ransomware penetrations. These include team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of modern security solutions with machine learning capabilities from SentinelOne to discover and suppress day-zero threats quickly. Progent also can provide the assistance of veteran ransomware recovery engineers with the skills and perseverance to reconstruct a compromised system as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a crypto-ransomware invasion, sending the ransom in cryptocurrency does not ensure that cyber criminals will provide the needed keys to decipher any of your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom can be in the millions. The fallback is to re-install the key components of your IT environment. Without access to full system backups, this requires a broad complement of skill sets, well-coordinated team management, and the ability to work non-stop until the task is complete.

For two decades, Progent has provided expert IT services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have attained high-level certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience gives Progent the skills to knowledgably understand important systems and organize the remaining pieces of your Information Technology environment following a ransomware event and assemble them into a functioning network.

Progent's security group has top notch project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting quickly and in concert with a customer's management and Information Technology staff to prioritize tasks and to put essential services back on-line as soon as humanly possible.

Case Study: A Successful Crypto-Ransomware Incident Recovery
A small business sought out Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state hackers, suspected of using algorithms leaked from the United States NSA organization. Ryuk goes after specific organizations with limited room for operational disruption and is among the most profitable incarnations of ransomware. Headline organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in the Chicago metro area and has around 500 workers. The Ryuk intrusion had shut down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and wishfully thinking for good luck, but ultimately engaged Progent.


"I can't say enough in regards to the support Progent gave us throughout the most critical time of (our) company's existence. We would have paid the cyber criminals if it wasn't for the confidence the Progent experts provided us. That you were able to get our e-mail system and essential applications back sooner than a week was something I thought impossible. Each expert I worked with or texted at Progent was absolutely committed on getting us restored and was working breakneck pace on our behalf."

Progent worked hand in hand the client to rapidly determine and prioritize the mission critical areas that had to be restored in order to continue business operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus incident mitigation industry best practices by halting the spread and performing virus removal steps. Progent then initiated the process of rebuilding Microsoft AD, the key technology of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's financials and MRP applications utilized Microsoft SQL, which depends on Active Directory for authentication to the databases.

Within 48 hours, Progent was able to restore Active Directory to its pre-penetration state. Progent then performed rebuilding and storage recovery on critical servers. All Microsoft Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was able to collect intact OST files (Outlook Email Off-Line Folder Files) on staff PCs and laptops to recover mail information. A recent offline backup of the customer's financials/ERP systems made them able to return these required applications back online for users. Although significant work was left to recover totally from the Ryuk virus, core systems were recovered rapidly:


"For the most part, the manufacturing operation did not miss a beat and we produced all customer sales."

Over the following couple of weeks important milestones in the recovery project were made through close cooperation between Progent team members and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control modules were 100% restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • 90% of the user desktops and notebooks were operational.

"A lot of what transpired in the early hours is nearly entirely a haze for me, but our team will not forget the dedication each of you put in to give us our company back. I've been working together with Progent for at least 10 years, maybe more, and each time I needed help Progent has come through and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A probable business disaster was dodged by hard-working professionals, a broad spectrum of knowledge, and tight teamwork. Although upon completion of forensics the ransomware incident described here would have been stopped with current security technology and NIST Cybersecurity Framework best practices, team training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware virus, remember that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were contributing), I'm grateful for making it so I could get rested after we made it through the initial push. Everyone did an incredible job, and if anyone is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Charleston a range of remote monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to uncover new variants of crypto-ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT staff and your assigned Progent consultant so that any looming issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM Solution for Networks, Servers, and Desktops
    ProSight LAN Watch with NinjaOne RMM software delivers a centralized, cloud-based solution for monitoring and managing your client-server infrastructure by offering tools for performing common time-consuming jobs. These can include health monitoring, patch management, automated remediation, endpoint configuration, backup and recovery, anti-virus defense, remote access, built-in and custom scripts, resource inventory, endpoint status reporting, and troubleshooting support. If ProSight LAN Watch with NinjaOne RMM uncovers a serious incident, it sends an alert to your specified IT personnel and your assigned Progent consultant so emerging issues can be taken care of before they interfere with productivity. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map, monitor, enhance and debug their connectivity appliances like routers and switches, firewalls, and load balancers plus servers, printers, client computers and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time reporting utilities designed to work with the industry's leading ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services, a portfolio of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup processes and allow transparent backup and fast recovery of important files, apps, images, and virtual machines. ProSight DPS lets your business protect against data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top data security vendors to deliver centralized control and world-class protection for your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's on-premises security gateway device provides a further layer of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other personal devices. With Duo 2FA, whenever you log into a secured application and enter your password you are requested to verify your identity via a device that only you have and that is accessed using a different network channel. A wide range of out-of-band devices can be used as this added form of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register several validation devices. To find out more about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Support Desk managed services allow your IT team to outsource Call Center services to Progent or divide activity for support services transparently between your in-house support resources and Progent's extensive roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless supplement to your core network support organization. Client interaction with the Service Desk, provision of technical assistance, escalation, ticket generation and updates, performance measurement, and management of the support database are cohesive whether incidents are taken care of by your core network support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior-based analysis technology to guard endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which easily get by legacy signature-matching AV products. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to manage the complete malware attack lifecycle including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, find and protect information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSLs or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as half of time spent looking for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and associating IT information. Whether you're planning enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information system. In addition to optimizing the security and reliability of your computer environment, Progent's patch management services permit your in-house IT team to concentrate on line-of-business initiatives and tasks that deliver maximum business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be ported immediately to an alternate hosting solution without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including protection, identification, containment, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable multi-layer security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can assist your business to design and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data security regulations. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require immediate action. Progent can also assist you to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.
For 24-7 Charleston Crypto-Ransomware Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.