Ransomware : Your Feared IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that presents an extinction-level threat for businesses poorly prepared for an assault. Versions of ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for a long time and still cause destruction. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as more as yet unnamed newcomers, not only encrypt online data files but also infiltrate any accessible system backup. Information synchronized to off-site disaster recovery sites can also be corrupted. In a poorly architected system, this can render automatic restore operations hopeless and effectively sets the network back to zero.

Restoring programs and data following a crypto-ransomware event becomes a sprint against time as the targeted organization fights to contain the damage and remove the ransomware and to restore enterprise-critical activity. Since crypto-ransomware takes time to move laterally, attacks are usually sprung during nights and weekends, when successful penetrations in many cases take more time to notice. This multiplies the difficulty of quickly mobilizing and organizing an experienced response team.

Progent makes available an assortment of support services for securing organizations from crypto-ransomware events. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with AI capabilities from SentinelOne to detect and disable zero-day cyber threats rapidly. Progent also offers the assistance of veteran ransomware recovery professionals with the skills and commitment to rebuild a compromised network as rapidly as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that merciless criminals will respond with the keys to decipher any or all of your information. Kaspersky determined that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be in the range of $13,000. The alternative is to setup from scratch the mission-critical components of your Information Technology environment. Without the availability of essential information backups, this requires a broad range of skill sets, professional team management, and the willingness to work continuously until the recovery project is completed.

For two decades, Progent has made available expert Information Technology services for companies in Charleston and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have been awarded high-level certifications in leading technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security consultants have earned internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP applications. This breadth of experience provides Progent the skills to rapidly determine necessary systems and re-organize the remaining pieces of your IT system after a ransomware penetration and configure them into a functioning network.

Progent's recovery team utilizes powerful project management tools to orchestrate the complex recovery process. Progent appreciates the urgency of working swiftly and in concert with a client's management and IT resources to assign priority to tasks and to get key systems back on line as fast as possible.

Case Study: A Successful Crypto-Ransomware Intrusion Recovery
A customer sought out Progent after their network was attacked by Ryuk ransomware virus. Ryuk is thought to have been deployed by North Korean state cybercriminals, suspected of adopting approaches exposed from the U.S. National Security Agency. Ryuk targets specific businesses with little ability to sustain disruption and is one of the most lucrative iterations of ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk penetration had paralyzed all essential operations and manufacturing processes. The majority of the client's backups had been on-line at the start of the attack and were destroyed. The client was evaluating paying the ransom (exceeding $200K) and praying for the best, but ultimately called Progent.


"I can't thank you enough about the care Progent gave us during the most fearful time of (our) company's life. We may have had to pay the criminal gangs except for the confidence the Progent team provided us. The fact that you could get our messaging and critical applications back on-line in less than seven days was amazing. Each expert I talked with or messaged at Progent was totally committed on getting my company operational and was working 24/7 to bail us out."

Progent worked hand in hand the customer to rapidly understand and prioritize the mission critical areas that had to be recovered in order to continue departmental functions:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting/MRP
To begin, Progent adhered to Anti-virus incident response best practices by halting lateral movement and clearing up compromised systems. Progent then started the process of recovering Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Exchange messaging will not operate without Active Directory, and the businesses' MRP system used Microsoft SQL Server, which depends on Active Directory for security authorization to the database.

Within 2 days, Progent was able to re-build Active Directory to its pre-virus state. Progent then accomplished rebuilding and storage recovery of key servers. All Microsoft Exchange Server ties and attributes were usable, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Outlook Email Off-Line Data Files) on staff desktop computers and laptops in order to recover mail messages. A recent offline backup of the client's financials/ERP systems made it possible to recover these essential services back servicing users. Although a lot of work still had to be done to recover totally from the Ryuk virus, the most important systems were restored quickly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."

During the following couple of weeks important milestones in the recovery project were accomplished in close collaboration between Progent consultants and the client:

  • Internal web applications were restored with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were fully restored.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Nearly all of the user desktops and notebooks were functioning as before the incident.

"A huge amount of what happened in the initial days is nearly entirely a blur for me, but we will not forget the commitment each and every one of your team put in to help get our company back. I have utilized Progent for the past 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This event was no exception but maybe more Herculean."

Conclusion
A likely company-ending catastrophe was avoided through the efforts of hard-working professionals, a wide array of knowledge, and close teamwork. Although in post mortem the crypto-ransomware virus attack described here should have been blocked with current cyber security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and appropriate security procedures for data backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware penetration, feel confident that Progent's team of experts has substantial experience in crypto-ransomware virus blocking, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for allowing me to get rested after we got past the first week. Everyone did an fabulous job, and if anyone that helped is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Charleston a portfolio of remote monitoring and security evaluation services designed to assist you to reduce your vulnerability to ransomware. These services include modern machine learning capability to detect zero-day strains of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and provides a single platform to manage the complete threat progression including filtering, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alerts, endpoint control, and web filtering via leading-edge technologies packaged within a single agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your company's specific requirements and that allows you achieve and demonstrate compliance with legal and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent action. Progent can also help you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup software companies to create ProSight Data Protection Services, a family of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and enable non-disruptive backup and rapid restoration of important files, applications, system images, and virtual machines. ProSight DPS lets your business avoid data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, human mistakes, malicious insiders, or application bugs. Managed backup services available in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of top data security companies to deliver web-based management and comprehensive protection for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with an on-premises gateway device to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This decreases your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises security gateway device provides a further level of inspection for inbound email. For outgoing email, the local gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Exchange Server to monitor and protect internal email traffic that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map, track, reconfigure and debug their connectivity hardware such as switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network diagrams are always current, captures and manages the configuration of almost all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, locating appliances that require important updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network running efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your specified IT personnel and your assigned Progent consultant so all potential problems can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to a different hosting solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and protect information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes cutting edge behavior-based analysis technology to guard endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and file-less exploits, which easily escape traditional signature-based AV tools. Progent ASM services safeguard on-premises and cloud resources and offers a single platform to automate the complete threat lifecycle including filtering, infiltration detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Call Center services permit your IT group to offload Help Desk services to Progent or divide activity for support services transparently between your in-house support team and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your in-house IT support resources. User interaction with the Help Desk, delivery of support, issue escalation, ticket creation and tracking, efficiency metrics, and maintenance of the service database are consistent whether issues are taken care of by your in-house network support organization, by Progent, or both. Read more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting updates to your dynamic IT network. In addition to maximizing the protection and reliability of your IT network, Progent's patch management services allow your in-house IT staff to concentrate on line-of-business projects and tasks that deliver maximum business value from your network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured online account and give your password you are asked to verify who you are via a device that only you possess and that uses a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this second means of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. For details about Duo identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time and in-depth management reporting utilities designed to integrate with the leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Charleston 24-Hour CryptoLocker Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.