Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become a modern cyberplague that poses an existential danger for businesses unprepared for an assault. Multiple generations of crypto-ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for a long time and still cause havoc. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus frequent unnamed malware, not only do encryption of online data but also infiltrate many accessible system protection mechanisms. Information synched to the cloud can also be rendered useless. In a vulnerable data protection solution, it can make automated restore operations useless and basically sets the entire system back to square one.

Retrieving applications and data following a ransomware event becomes a race against time as the victim fights to contain the damage and cleanup the ransomware and to resume business-critical operations. Since crypto-ransomware requires time to replicate, penetrations are frequently sprung on weekends and holidays, when attacks are likely to take longer to discover. This compounds the difficulty of promptly assembling and orchestrating an experienced mitigation team.

Progent offers an assortment of solutions for protecting enterprises from crypto-ransomware penetrations. These include team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of modern security appliances with machine learning technology to quickly identify and quarantine day-zero cyber threats. Progent in addition can provide the assistance of veteran crypto-ransomware recovery consultants with the track record and commitment to re-deploy a compromised system as rapidly as possible.

Progent's Ransomware Recovery Services
After a ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the codes to decipher all your information. Kaspersky determined that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to setup from scratch the essential elements of your IT environment. Absent access to essential system backups, this requires a wide complement of skill sets, top notch project management, and the willingness to work 24x7 until the job is done.

For two decades, Progent has made available expert Information Technology services for businesses in Charleston and across the U.S. and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level industry certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to quickly understand important systems and organize the remaining parts of your network environment following a ransomware event and assemble them into a functioning system.

Progent's security team has best of breed project management tools to coordinate the sophisticated restoration process. Progent understands the urgency of acting quickly and in unison with a customerís management and Information Technology staff to prioritize tasks and to put critical applications back on line as fast as possible.

Client Story: A Successful Ransomware Virus Restoration
A client sought out Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, possibly using techniques exposed from the United States NSA organization. Ryuk seeks specific organizations with little or no tolerance for disruption and is among the most lucrative instances of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. The majority of the client's data backups had been on-line at the start of the attack and were encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and hoping for good luck, but ultimately called Progent.


"I cannot speak enough in regards to the support Progent provided us throughout the most critical time of (our) companyís existence. We may have had to pay the cyber criminals behind the attack if not for the confidence the Progent experts provided us. The fact that you were able to get our e-mail system and production servers back on-line in less than seven days was amazing. Every single expert I spoke to or e-mailed at Progent was laser focused on getting us back on-line and was working day and night on our behalf."

Progent worked with the customer to quickly assess and prioritize the most important services that needed to be restored in order to continue company functions:

  • Windows Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent adhered to AV/Malware Processes event mitigation best practices by stopping the spread and removing active viruses. Progent then initiated the steps of bringing back online Microsoft AD, the heart of enterprise systems built on Microsoft Windows Server technology. Exchange email will not work without AD, and the businessesí MRP system leveraged SQL Server, which depends on Active Directory services for security authorization to the data.

In less than two days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then completed setup and storage recovery of mission critical servers. All Microsoft Exchange Server schema and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble non-encrypted OST files (Outlook Email Offline Data Files) on various workstations in order to recover email information. A recent off-line backup of the client's accounting/MRP software made it possible to restore these vital programs back on-line. Although a large amount of work was left to recover totally from the Ryuk attack, core systems were returned to operations quickly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer sales."

During the next month key milestones in the recovery process were made through close cooperation between Progent team members and the customer:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server exceeding four million archived emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/AP/AR/Inventory functions were completely recovered.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Nearly all of the user desktops were fully operational.

"Much of what was accomplished that first week is mostly a haze for me, but our team will not forget the dedication each of your team accomplished to give us our company back. I have trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has impressed me and delivered. This time was a stunning achievement."

Conclusion
A probable business-killing catastrophe was averted with top-tier professionals, a wide range of knowledge, and close teamwork. Although in post mortem the crypto-ransomware incident described here would have been identified and stopped with current cyber security technology and ISO/IEC 27001 best practices, staff training, and properly executed incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), Iím grateful for making it so I could get some sleep after we got over the initial push. All of you did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Charleston a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation AI technology to uncover new strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes next generation behavior analysis technology to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a unified platform to address the complete malware attack lifecycle including protection, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services offer ultra-affordable in-depth protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, device management, and web filtering via cutting-edge tools packaged within one agent accessible from a single control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that meets your organization's unique requirements and that allows you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate action. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup software providers to create ProSight Data Protection Services, a family of offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup processes and enable non-disruptive backup and fast recovery of important files/folders, apps, images, and VMs. ProSight DPS lets you avoid data loss caused by equipment failures, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or software bugs. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to provide web-based management and world-class security for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a further layer of inspection for inbound email. For outgoing email, the onsite gateway offers AV and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to track and protect internal email that stays inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progentís ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to diagram, track, optimize and troubleshoot their connectivity appliances such as switches, firewalls, and access points plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology diagrams are always current, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends alerts when issues are detected. By automating time-consuming management activities, WAN Watch can cut hours off ordinary chores like making network diagrams, expanding your network, locating devices that need critical software patches, or isolating performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system operating at peak levels by checking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT staff and your Progent consultant so that any looming issues can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and managed by Progent's network support experts. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard data about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can save as much as 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents required for managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether youíre making enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior-based analysis technology to guard endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which routinely escape legacy signature-matching AV tools. Progent ASM services protect on-premises and cloud resources and offers a unified platform to automate the complete threat progression including blocking, detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Call Desk managed services permit your information technology staff to offload Help Desk services to Progent or divide responsibilities for Service Desk support seamlessly between your internal network support resources and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SBEs). Progent's Co-managed Help Desk Service offers a smooth extension of your core network support staff. Client access to the Help Desk, provision of technical assistance, escalation, ticket creation and tracking, efficiency measurement, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your internal IT support group, by Progent, or both. Find out more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and affordable solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT network. Besides maximizing the security and reliability of your IT environment, Progent's software/firmware update management services allow your IT team to concentrate on line-of-business projects and tasks that deliver the highest business value from your network. Learn more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity verification on iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you sign into a secured online account and give your password you are asked to verify who you are on a unit that only you possess and that is accessed using a different network channel. A wide range of devices can be utilized as this added form of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can register multiple verification devices. For details about ProSight Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication services.
For 24-Hour Charleston Crypto Repair Help, contact Progent at 800-462-8800 or go to Contact Progent.