Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that presents an existential threat for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware such as Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been circulating for years and still cause harm. Newer strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as frequent unnamed viruses, not only do encryption of on-line data files but also infiltrate most available system protection mechanisms. Information replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected environment, this can make automatic restore operations impossible and effectively sets the datacenter back to square one.

Getting back on-line programs and information following a ransomware outage becomes a race against the clock as the victim fights to contain the damage and eradicate the ransomware and to resume business-critical operations. Since crypto-ransomware needs time to move laterally, assaults are frequently sprung on weekends and holidays, when attacks typically take longer to uncover. This multiplies the difficulty of rapidly assembling and organizing a knowledgeable response team.

Progent provides a variety of services for securing enterprises from ransomware events. Among these are team member education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with machine learning capabilities from SentinelOne to detect and suppress new threats quickly. Progent also provides the assistance of veteran ransomware recovery consultants with the talent and commitment to restore a compromised network as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the keys to decipher any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their information even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the mission-critical components of your Information Technology environment. Absent the availability of complete data backups, this calls for a broad range of IT skills, professional project management, and the ability to work continuously until the job is completed.

For decades, Progent has offered certified expert Information Technology services for companies in Corpus Christi and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have earned high-level industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized certifications including CISM, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in accounting and ERP software solutions. This breadth of experience gives Progent the capability to efficiently understand important systems and consolidate the surviving pieces of your network system after a ransomware penetration and assemble them into an operational system.

Progent's ransomware team utilizes powerful project management applications to coordinate the sophisticated restoration process. Progent knows the urgency of working swiftly and in unison with a customer�s management and Information Technology resources to assign priority to tasks and to put key systems back online as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Virus Response
A business contacted Progent after their network system was attacked by Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean state cybercriminals, possibly adopting technology exposed from the United States NSA organization. Ryuk targets specific businesses with little or no ability to sustain disruption and is among the most lucrative incarnations of ransomware. Well Known organizations include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area and has about 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and hoping for the best, but ultimately engaged Progent.


"I can�t say enough about the care Progent gave us throughout the most fearful period of (our) businesses life. We would have paid the criminal gangs if it wasn�t for the confidence the Progent team gave us. That you were able to get our e-mail and production applications back into operation quicker than five days was beyond my wildest dreams. Every single expert I spoke to or communicated with at Progent was amazingly focused on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to rapidly assess and prioritize the most important areas that needed to be addressed to make it possible to restart company functions:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Financials/MRP
To start, Progent followed ransomware event response industry best practices by stopping lateral movement and cleaning up infected systems. Progent then started the steps of rebuilding Microsoft AD, the core of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Windows AD, and the customer�s MRP applications leveraged SQL Server, which needs Active Directory for authentication to the database.

Within 2 days, Progent was able to restore Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery of key servers. All Exchange schema and attributes were usable, which accelerated the restore of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Folder Files) on various PCs to recover email data. A not too old offline backup of the client's financials/ERP systems made it possible to recover these required services back online for users. Although significant work was left to recover fully from the Ryuk attack, critical systems were recovered quickly:


"For the most part, the production line operation was never shut down and we delivered all customer orders."

Throughout the following few weeks important milestones in the restoration project were made in tight cooperation between Progent consultants and the client:

  • In-house web sites were returned to operation without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought online and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/AR/Inventory capabilities were fully recovered.
  • A new Palo Alto 850 firewall was installed.
  • Ninety percent of the user desktops were operational.

"A huge amount of what transpired during the initial response is nearly entirely a fog for me, but we will not forget the urgency each of you accomplished to help get our company back. I have utilized Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered. This event was a Herculean accomplishment."

Conclusion
A potential business extinction disaster was dodged due to results-oriented experts, a wide spectrum of IT skills, and close teamwork. Although in hindsight the ransomware penetration described here could have been identified and prevented with modern cyber security technology and security best practices, user training, and properly executed security procedures for data backup and applying software patches, the reality is that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were involved), I�m grateful for making it so I could get some sleep after we made it through the initial push. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Corpus Christi a variety of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation artificial intelligence capability to uncover new variants of ransomware that can get past legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and email phishing, which easily escape legacy signature-based anti-virus products. ProSight ASM protects local and cloud resources and provides a unified platform to automate the entire threat lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge technologies incorporated within one agent managed from a single control. Progent's data protection and virtualization consultants can help you to plan and configure a ProSight ESP deployment that addresses your company's unique requirements and that helps you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also help your company to set up and test a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and allow non-disruptive backup and rapid recovery of critical files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business recover from data loss caused by hardware failures, natural calamities, fire, malware like ransomware, human error, malicious insiders, or software glitches. Managed backup services available in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to provide centralized control and world-class security for all your email traffic. The hybrid structure of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from reaching your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper level of inspection for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map, track, optimize and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends notices when problems are discovered. By automating tedious management and troubleshooting processes, WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating devices that need important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates advanced remote monitoring and management technology to help keep your network running efficiently by tracking the state of critical computers that power your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT management personnel and your Progent consultant so that any potential problems can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and protect information related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youre making enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior-based machine learning tools to guard endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based AV products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a single platform to address the entire threat progression including blocking, identification, mitigation, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new threats. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Help Desk managed services enable your information technology group to outsource Help Desk services to Progent or split responsibilities for support services transparently between your in-house network support group and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a transparent supplement to your corporate network support organization. End user interaction with the Help Desk, delivery of support, problem escalation, trouble ticket generation and updates, efficiency metrics, and management of the service database are consistent regardless of whether issues are resolved by your internal support resources, by Progent, or by a combination. Read more about Progent's outsourced/shared Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a versatile and affordable alternative for assessing, validating, scheduling, implementing, and tracking updates to your dynamic information network. Besides optimizing the security and functionality of your computer network, Progent's patch management services allow your IT team to focus on more strategic projects and activities that derive the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against password theft through the use of two-factor authentication. Duo enables single-tap identity confirmation on Apple iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a secured online account and enter your password you are requested to confirm who you are on a device that only you possess and that uses a separate network channel. A wide range of out-of-band devices can be used as this added form of ID validation including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate multiple verification devices. To find out more about Duo identity authentication services, visit Cisco Duo MFA two-factor authentication services for access security.
For Corpus Christi 24x7x365 Crypto Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.