Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyberplague that represents an existential threat for businesses poorly prepared for an attack. Different iterations of ransomware such as Reveton, Fusob, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still cause harm. More recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as more as yet unnamed malware, not only encrypt online information but also infect all available system restores and backups. Files replicated to cloud environments can also be corrupted. In a poorly architected data protection solution, it can make automatic restore operations hopeless and effectively knocks the datacenter back to zero.

Getting back programs and information following a crypto-ransomware event becomes a race against time as the targeted business fights to contain the damage and cleanup the virus and to resume enterprise-critical operations. Because ransomware needs time to replicate, penetrations are frequently sprung during weekends and nights, when successful attacks in many cases take more time to detect. This multiplies the difficulty of quickly assembling and coordinating a knowledgeable mitigation team.

Progent makes available a range of support services for protecting organizations from ransomware events. Among these are user training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security gateways with artificial intelligence technology from SentinelOne to detect and disable zero-day cyber threats rapidly. Progent in addition provides the services of veteran ransomware recovery consultants with the skills and perseverance to re-deploy a compromised network as urgently as possible.

Progent's Crypto-Ransomware Restoration Services
Subsequent to a crypto-ransomware event, paying the ransom demands in cryptocurrency does not ensure that cyber hackers will provide the codes to decrypt any of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The alternative is to setup from scratch the mission-critical parts of your Information Technology environment. Absent access to complete system backups, this calls for a wide range of IT skills, professional team management, and the willingness to work non-stop until the job is over.

For decades, Progent has provided expert Information Technology services for companies in Corpus Christi and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity specialists have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in accounting and ERP application software. This breadth of experience provides Progent the skills to efficiently understand critical systems and consolidate the remaining pieces of your network environment following a crypto-ransomware event and rebuild them into a functioning system.

Progent's recovery team of experts utilizes state-of-the-art project management systems to orchestrate the sophisticated restoration process. Progent understands the importance of acting swiftly and together with a client's management and Information Technology staff to prioritize tasks and to put the most important applications back on-line as soon as humanly possible.

Case Study: A Successful Ransomware Attack Recovery
A client hired Progent after their network was penetrated by Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, suspected of using approaches leaked from the United States National Security Agency. Ryuk attacks specific businesses with little or no room for operational disruption and is one of the most lucrative iterations of ransomware. Headline targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company based in Chicago and has around 500 staff members. The Ryuk event had shut down all company operations and manufacturing processes. The majority of the client's information backups had been directly accessible at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (exceeding $200K) and hoping for the best, but in the end utilized Progent.


"I cannot thank you enough in regards to the care Progent provided us throughout the most critical period of (our) company's survival. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail and important applications back on-line in less than seven days was beyond my wildest dreams. Each expert I got help from or e-mailed at Progent was absolutely committed on getting us restored and was working all day and night on our behalf."

Progent worked hand in hand the customer to rapidly understand and prioritize the most important areas that had to be recovered to make it possible to continue departmental operations:

  • Active Directory (AD)
  • Electronic Messaging
  • MRP System
To start, Progent adhered to Anti-virus event response industry best practices by stopping the spread and removing active viruses. Progent then initiated the task of restoring Active Directory, the foundation of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not function without Active Directory, and the client's accounting and MRP system leveraged Microsoft SQL, which depends on Active Directory for access to the information.

Within 2 days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then helped perform rebuilding and storage recovery on the most important applications. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Offline Folder Files) on staff workstations and laptops to recover email information. A recent off-line backup of the businesses financials/ERP software made them able to recover these required applications back online. Although a large amount of work still had to be done to recover completely from the Ryuk damage, critical services were returned to operations quickly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer deliverables."

Over the following couple of weeks key milestones in the restoration project were accomplished in close cooperation between Progent team members and the customer:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Server exceeding four million archived messages was spun up and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were completely operational.
  • A new Palo Alto 850 security appliance was deployed.
  • 90% of the user desktops and notebooks were functioning as before the incident.

"So much of what went on that first week is nearly entirely a haze for me, but we will not soon forget the care all of your team accomplished to give us our company back. I have trusted Progent for the past 10 years, maybe more, and every time Progent has shined and delivered as promised. This time was a stunning achievement."

Conclusion
A potential business catastrophe was dodged with results-oriented professionals, a wide array of IT skills, and tight collaboration. Although in hindsight the ransomware penetration described here could have been shut down with modern cyber security systems and ISO/IEC 27001 best practices, user training, and appropriate security procedures for information protection and applying software patches, the fact remains that government-sponsored cybercriminals from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for allowing me to get rested after we made it over the initial push. All of you did an incredible job, and if any of your team is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Corpus Christi a variety of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services include modern machine learning capability to uncover new strains of ransomware that can evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the complete malware attack lifecycle including filtering, identification, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering via cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to plan and implement a ProSight ESP deployment that addresses your company's specific needs and that allows you prove compliance with government and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent's consultants can also assist you to set up and test a backup and restore system such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup operations and allow non-disruptive backup and rapid restoration of important files/folders, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious employees, or software glitches. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight Altaro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security vendors to provide centralized control and world-class security for your inbound and outbound email. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most threats from reaching your security perimeter. This decreases your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of inspection for inbound email. For outbound email, the local security gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to diagram, monitor, enhance and troubleshoot their connectivity hardware such as routers and switches, firewalls, and load balancers plus servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that infrastructure topology maps are kept updated, copies and displays the configuration of almost all devices on your network, monitors performance, and sends alerts when issues are discovered. By automating tedious network management processes, WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management techniques to keep your network running efficiently by tracking the state of vital computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your designated IT management personnel and your Progent consultant so that all potential problems can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hosting environment without requiring a lengthy and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or domains. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time wasted searching for critical information about your IT network. ProSight IT Asset Management features a common location for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether you're planning enhancements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to guard endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which routinely escape traditional signature-matching AV products. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including blocking, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Call Center Managed Services
    Progent's Call Desk managed services permit your IT group to offload Call Center services to Progent or divide activity for Service Desk support seamlessly between your in-house support team and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a seamless extension of your internal network support organization. Client access to the Help Desk, delivery of support, escalation, ticket generation and updates, efficiency measurement, and management of the service database are consistent whether issues are taken care of by your internal support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide organizations of all sizes a flexible and cost-effective solution for assessing, testing, scheduling, applying, and documenting updates to your ever-evolving information network. Besides optimizing the security and reliability of your IT environment, Progent's patch management services free up time for your IT team to focus on line-of-business initiatives and tasks that deliver maximum business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a secured application and enter your password you are asked to verify who you are on a unit that only you have and that uses a different network channel. A wide range of devices can be used for this added means of ID validation such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can register multiple verification devices. To learn more about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
For 24-Hour Corpus Christi Crypto Repair Consultants, contact Progent at 800-462-8800 or go to Contact Progent.