Ransomware : Your Feared Information Technology Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that represents an enterprise-level threat for organizations unprepared for an assault. Multiple generations of crypto-ransomware such as Dharma, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict destruction. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as frequent unnamed newcomers, not only encrypt on-line data files but also infiltrate all accessible system backups. Information replicated to the cloud can also be held hostage. In a poorly architected environment, this can make automatic restoration impossible and basically knocks the entire system back to zero.

Recovering applications and information after a ransomware attack becomes a sprint against time as the victim tries its best to contain the damage, clear the virus, and resume enterprise-critical activity. Due to the fact that crypto-ransomware needs time to move laterally, attacks are often sprung on weekends, when penetrations tend to take longer to recognize. This compounds the difficulty of promptly assembling and coordinating an experienced mitigation team.

Progent has a range of services for securing enterprises from crypto-ransomware penetrations. These include team training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of the latest generation security solutions with machine learning capabilities from SentinelOne to identify and extinguish zero-day cyber attacks automatically. Progent in addition provides the services of seasoned ransomware recovery professionals with the skills and commitment to restore a breached network as soon as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware penetration, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the codes to decrypt any of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions of dollars. The other path is to piece back together the key elements of your IT environment. Without the availability of essential system backups, this requires a wide range of IT skills, well-coordinated project management, and the capability to work continuously until the job is done.

For decades, Progent has provided expert Information Technology services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of expertise provides Progent the ability to rapidly determine necessary systems and organize the surviving pieces of your computer network environment after a crypto-ransomware attack and configure them into an operational system.

Progent's recovery team deploys state-of-the-art project management systems to coordinate the complicated recovery process. Progent knows the urgency of working quickly and together with a customer's management and Information Technology staff to assign priority to tasks and to get essential systems back online as soon as humanly possible.

Business Case Study: A Successful Ransomware Virus Restoration
A client engaged Progent after their network system was attacked by the Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state sponsored cybercriminals, possibly adopting techniques exposed from the U.S. National Security Agency. Ryuk attacks specific businesses with limited tolerance for operational disruption and is one of the most profitable versions of ransomware viruses. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has about 500 workers. The Ryuk attack had brought down all business operations and manufacturing processes. The majority of the client's data backups had been online at the time of the intrusion and were eventually encrypted. The client was actively seeking loans for paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.


"I cannot speak enough about the support Progent gave us during the most fearful time of (our) businesses life. We would have paid the cybercriminals except for the confidence the Progent experts provided us. The fact that you could get our e-mail and critical applications back faster than 1 week was amazing. Every single staff member I spoke to or e-mailed at Progent was laser focused on getting us restored and was working all day and night on our behalf."

Progent worked together with the client to quickly determine and assign priority to the essential services that had to be restored to make it possible to continue business operations:

  • Active Directory (AD)
  • Email
  • MRP System
To get going, Progent adhered to ransomware event mitigation best practices by isolating and cleaning systems of viruses. Progent then initiated the process of restoring Microsoft Active Directory, the foundation of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the client's accounting and MRP system utilized Microsoft SQL Server, which needs Active Directory for authentication to the databases.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then accomplished setup and hard drive recovery of needed servers. All Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Offline Data Files) on staff PCs and laptops to recover mail information. A not too old offline backup of the businesses financials/MRP software made it possible to restore these vital applications back online for users. Although a large amount of work needed to be completed to recover fully from the Ryuk attack, the most important systems were returned to operations quickly:


"For the most part, the assembly line operation never missed a beat and we made all customer shipments."

Over the following few weeks important milestones in the restoration process were made in tight collaboration between Progent consultants and the customer:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Server with over four million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control modules were 100 percent operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the user workstations were being used by staff.

"Much of what was accomplished in the initial days is mostly a haze for me, but my management will not forget the urgency all of the team accomplished to give us our company back. I have been working with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A probable business extinction catastrophe was avoided through the efforts of hard-working professionals, a wide range of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware penetration described here should have been shut down with up-to-date cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for data protection and proper patching controls, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thank you for making it so I could get rested after we made it past the initial push. Everyone did an incredible effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Columbus a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to crypto-ransomware. These services utilize modern artificial intelligence capability to detect new variants of ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted immediately to your specified IT management staff and your Progent consultant so that any potential issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight LAN Watch with NinjaOne RMM: Unified RMM Solution for Networks, Servers, and Workstations
    ProSight LAN Watch with NinjaOne RMM software delivers a unified, cloud-based solution for monitoring and managing your client-server infrastructure by providing tools for streamlining common time-consuming tasks. These can include health monitoring, update management, automated remediation, endpoint deployment, backup and restore, A/V defense, secure remote access, built-in and custom scripts, resource inventory, endpoint status reports, and troubleshooting help. If ProSight LAN Watch with NinjaOne RMM identifies a serious incident, it sends an alarm to your specified IT management personnel and your Progent consultant so potential problems can be fixed before they interfere with productivity. Learn more about ProSight LAN Watch with NinjaOne RMM server and desktop remote monitoring consulting.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller businesses to map, monitor, optimize and troubleshoot their connectivity hardware like routers, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are kept current, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off ordinary chores like network mapping, reconfiguring your network, finding devices that need important software patches, or resolving performance bottlenecks. Learn more about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of in-depth management reporting tools created to work with the top ticketing and remote network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup software companies to create ProSight Data Protection Services (DPS), a family of subscription-based offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your backup operations and enable transparent backup and rapid recovery of vital files, applications, images, and virtual machines. ProSight DPS helps you protect against data loss resulting from equipment breakdown, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to deliver web-based management and comprehensive protection for all your inbound and outbound email. The powerful structure of Email Guard combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps the vast majority of threats from making it to your security perimeter. This reduces your exposure to inbound attacks and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further level of inspection for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, DLP, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a secured application and give your password you are asked to verify your identity via a device that only you have and that is accessed using a separate network channel. A broad selection of devices can be used as this second means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple validation devices. For more information about ProSight Duo identity authentication services, see Duo MFA two-factor authentication services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Call Desk services enable your information technology group to offload Help Desk services to Progent or divide activity for Help Desk services seamlessly between your internal network support resources and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your corporate support team. End user interaction with the Help Desk, provision of support services, escalation, trouble ticket generation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are resolved by your internal network support group, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Help Desk services.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based machine learning technology to guard endpoints as well as physical and virtual servers against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a unified platform to automate the entire malware attack progression including protection, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and protect information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents required for managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and associating IT information. Whether you're making enhancements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Read more about Progent's ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide organizations of any size a versatile and cost-effective alternative for evaluating, validating, scheduling, applying, and tracking updates to your dynamic information network. In addition to optimizing the security and reliability of your IT environment, Progent's patch management services permit your IT team to concentrate on more strategic projects and activities that deliver the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade traditional signature-matching anti-virus tools. ProSight ASM protects local and cloud resources and offers a single platform to address the entire threat progression including blocking, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint control, and web filtering through cutting-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP deployment that addresses your organization's unique requirements and that allows you prove compliance with legal and industry data protection standards. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate attention. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.
For Columbus 24-Hour Crypto-Ransomware Repair Consulting, call Progent at 800-462-8800 or go to Contact Progent.