Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyberplague that represents an enterprise-level threat for organizations unprepared for an assault. Different versions of ransomware such as CryptoLocker, WannaCry, Locky, Syskey and MongoLock cryptoworms have been around for a long time and still inflict havoc. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with more unnamed viruses, not only do encryption of on-line data but also infiltrate any accessible system protection mechanisms. Files synchronized to cloud environments can also be rendered useless. In a poorly architected system, this can render automated recovery hopeless and basically sets the datacenter back to square one.

Restoring services and data after a crypto-ransomware outage becomes a race against the clock as the targeted business fights to contain the damage and clear the ransomware and to restore business-critical operations. Due to the fact that ransomware requires time to move laterally, attacks are frequently sprung during nights and weekends, when successful attacks typically take longer to identify. This compounds the difficulty of quickly mobilizing and organizing a qualified mitigation team.

Progent provides a variety of support services for protecting enterprises from ransomware events. These include user education to help identify and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with machine learning capabilities from SentinelOne to discover and extinguish new cyber threats rapidly. Progent in addition provides the services of experienced crypto-ransomware recovery professionals with the skills and perseverance to re-deploy a compromised system as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
After a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will provide the codes to decipher any or all of your data. Kaspersky estimated that 17% of ransomware victims never restored their files even after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the mission-critical parts of your Information Technology environment. Without the availability of complete data backups, this requires a broad range of IT skills, well-coordinated project management, and the willingness to work continuously until the task is done.

For two decades, Progent has provided professional Information Technology services for businesses in Cleveland and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have earned advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of expertise provides Progent the skills to rapidly identify critical systems and organize the surviving pieces of your IT environment following a ransomware penetration and rebuild them into an operational network.

Progent's recovery group has top notch project management systems to orchestrate the complicated recovery process. Progent appreciates the urgency of working rapidly and together with a customer's management and IT team members to prioritize tasks and to put key systems back on-line as soon as possible.

Case Study: A Successful Ransomware Penetration Restoration
A client engaged Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been deployed by Northern Korean government sponsored criminal gangs, possibly using algorithms exposed from the United States National Security Agency. Ryuk goes after specific organizations with limited tolerance for operational disruption and is one of the most profitable incarnations of crypto-ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer headquartered in the Chicago metro area with around 500 employees. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. The majority of the client's data protection had been online at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (more than $200,000) and praying for the best, but in the end reached out to Progent.


"I can't thank you enough about the expertise Progent gave us during the most critical time of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and essential applications back faster than one week was amazing. Each consultant I interacted with or communicated with at Progent was amazingly focused on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the client to rapidly assess and prioritize the mission critical systems that needed to be restored to make it possible to resume business functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Accounting and Manufacturing Software
To get going, Progent followed AV/Malware Processes penetration mitigation industry best practices by halting lateral movement and cleaning systems of viruses. Progent then initiated the steps of rebuilding Microsoft Active Directory, the heart of enterprise systems built upon Microsoft Windows technology. Exchange messaging will not work without Windows AD, and the client's accounting and MRP system leveraged Microsoft SQL Server, which requires Windows AD for access to the information.

In less than two days, Progent was able to rebuild Active Directory to its pre-penetration state. Progent then helped perform reinstallations and storage recovery on critical systems. All Microsoft Exchange Server schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST files (Outlook Email Off-Line Data Files) on various desktop computers and laptops in order to recover email data. A not too old off-line backup of the businesses accounting/ERP systems made them able to restore these required services back online. Although significant work needed to be completed to recover completely from the Ryuk damage, essential systems were restored quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we made all customer orders."

Over the next month important milestones in the restoration process were completed in close cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Server exceeding 4 million historical emails was spun up and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory Control capabilities were 100% restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the desktop computers were functioning as before the incident.

"A lot of what occurred in the initial days is nearly entirely a blur for me, but we will not forget the care each and every one of you accomplished to help get our business back. I have trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A potential business catastrophe was dodged with results-oriented experts, a broad array of subject matter expertise, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware penetration described here could have been shut down with modern security technology and best practices, user and IT administrator training, and well designed security procedures for data backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, mitigation, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thanks very much for allowing me to get rested after we got past the first week. Everyone did an amazing job, and if any of your guys is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Cleveland a portfolio of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services include next-generation machine learning technology to uncover zero-day strains of crypto-ransomware that are able to get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior-based machine learning technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus tools. ProSight ASM safeguards on-premises and cloud resources and offers a single platform to address the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering through leading-edge tools packaged within one agent managed from a single control. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate attention. Progent can also help you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup software providers to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup operations and enable non-disruptive backup and fast restoration of important files/folders, applications, images, plus virtual machines. ProSight DPS helps your business recover from data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned employees, or software glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security companies to provide centralized control and world-class protection for all your email traffic. The powerful structure of Email Guard integrates a Cloud Protection Layer with an on-premises security gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a further level of analysis for incoming email. For outgoing email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Exchange Server to monitor and protect internal email traffic that stays within your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, enhance and debug their networking appliances like routers and switches, firewalls, and access points as well as servers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding appliances that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to keep your IT system running at peak levels by tracking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT staff and your Progent consultant so any potential issues can be resolved before they have a chance to impact productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be ported easily to an alternate hosting environment without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and safeguard data about your IT infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or domains. By cleaning up and managing your IT documentation, you can eliminate up to half of time spent looking for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes next generation behavior-based analysis technology to guard endpoint devices and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to address the complete malware attack lifecycle including blocking, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Call Desk services permit your information technology group to offload Help Desk services to Progent or split activity for Service Desk support transparently between your in-house network support staff and Progent's extensive roster of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless supplement to your corporate support resources. User access to the Service Desk, provision of support services, problem escalation, trouble ticket creation and tracking, performance metrics, and management of the service database are consistent regardless of whether incidents are taken care of by your core network support resources, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and documenting updates to your ever-evolving information network. Besides optimizing the protection and reliability of your computer network, Progent's software/firmware update management services permit your in-house IT staff to concentrate on line-of-business initiatives and tasks that derive the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication. Duo supports one-tap identity verification on iOS, Google Android, and other personal devices. Using 2FA, when you log into a protected application and give your password you are requested to confirm your identity on a unit that only you have and that uses a separate network channel. A wide selection of out-of-band devices can be used for this added form of authentication including an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can designate multiple verification devices. To learn more about ProSight Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time and in-depth management reporting plug-ins created to work with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Cleveland Crypto-Ransomware Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.