Ransomware : Your Worst Information Technology Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an existential danger for businesses unprepared for an assault. Versions of crypto-ransomware like the CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been around for many years and still inflict destruction. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as daily unnamed malware, not only encrypt on-line data files but also infect any available system protection mechanisms. Files synched to cloud environments can also be rendered useless. In a vulnerable environment, this can render automated recovery useless and basically knocks the datacenter back to square one.

Getting back applications and data following a ransomware outage becomes a race against time as the victim fights to stop lateral movement and remove the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware needs time to replicate, assaults are often sprung at night, when penetrations tend to take more time to identify. This multiplies the difficulty of promptly marshalling and orchestrating a capable mitigation team.

Progent offers a variety of support services for securing businesses from ransomware events. Among these are team member training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security appliances with artificial intelligence capabilities from SentinelOne to discover and extinguish day-zero cyber threats automatically. Progent in addition can provide the assistance of experienced ransomware recovery consultants with the skills and commitment to restore a compromised environment as quickly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will respond with the codes to decrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the usual crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The fallback is to re-install the essential elements of your IT environment. Absent the availability of complete data backups, this requires a broad range of IT skills, top notch project management, and the willingness to work 24x7 until the job is complete.

For two decades, Progent has offered expert Information Technology services for companies in Toledo and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of experience gives Progent the ability to knowledgably determine important systems and re-organize the remaining parts of your computer network system following a ransomware penetration and rebuild them into an operational system.

Progent's ransomware team has powerful project management systems to orchestrate the complex restoration process. Progent appreciates the importance of acting rapidly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get the most important services back on line as fast as possible.

Customer Case Study: A Successful Ransomware Attack Recovery
A business hired Progent after their company was brought down by Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, possibly adopting approaches leaked from the U.S. National Security Agency. Ryuk seeks specific companies with little ability to sustain operational disruption and is among the most profitable examples of ransomware malware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago with about 500 employees. The Ryuk attack had disabled all essential operations and manufacturing processes. The majority of the client's data protection had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately made the decision to use Progent.


"I can't thank you enough about the care Progent gave us during the most fearful time of (our) company's existence. We most likely would have paid the cyber criminals behind the attack if it wasn't for the confidence the Progent team provided us. That you were able to get our e-mail and essential servers back online sooner than a week was something I thought impossible. Each person I got help from or texted at Progent was absolutely committed on getting my company operational and was working breakneck pace to bail us out."

Progent worked with the customer to rapidly understand and prioritize the key areas that needed to be restored in order to continue company operations:

  • Active Directory (AD)
  • Microsoft Exchange
  • MRP System
To get going, Progent followed ransomware penetration mitigation best practices by isolating and removing active viruses. Progent then began the task of restoring Active Directory, the key technology of enterprise systems built upon Microsoft Windows Server technology. Exchange email will not work without AD, and the client's accounting and MRP applications utilized Microsoft SQL, which needs Windows AD for authentication to the information.

Within 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then accomplished reinstallations and storage recovery of the most important servers. All Exchange Server data and configuration information were usable, which accelerated the restore of Exchange. Progent was also able to assemble intact OST files (Outlook Email Off-Line Data Files) on user desktop computers in order to recover mail information. A not too old off-line backup of the client's financials/MRP software made it possible to recover these vital services back servicing users. Although a lot of work remained to recover totally from the Ryuk event, the most important systems were returned to operations quickly:


"For the most part, the production operation showed little impact and we delivered all customer sales."

Over the next month important milestones in the restoration project were completed in close collaboration between Progent engineers and the customer:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Server containing more than four million historical emails was spun up and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory capabilities were completely recovered.
  • A new Palo Alto 850 security appliance was installed.
  • Ninety percent of the user PCs were operational.

"A lot of what was accomplished in the initial days is nearly entirely a blur for me, but we will not soon forget the care all of the team put in to give us our company back. I have been working with Progent for the past ten years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A probable company-ending catastrophe was avoided with dedicated professionals, a broad spectrum of knowledge, and close teamwork. Although in post mortem the ransomware attack detailed here would have been prevented with modern cyber security solutions and security best practices, user and IT administrator training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the fact is that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incursion, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for allowing me to get rested after we made it through the first week. All of you did an incredible effort, and if anyone is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Toledo a variety of online monitoring and security assessment services designed to help you to reduce the threat from ransomware. These services include modern AI technology to detect zero-day variants of ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely escape legacy signature-based AV tools. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to manage the complete threat progression including blocking, detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge technologies packaged within one agent managed from a single control. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP environment that meets your organization's specific requirements and that allows you demonstrate compliance with government and industry data protection standards. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate action. Progent's consultants can also help you to set up and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable transparent backup and fast recovery of critical files/folders, applications, system images, and virtual machines. ProSight DPS helps you protect against data loss caused by hardware breakdown, natural calamities, fire, malware like ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to provide centralized management and world-class security for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam protection, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and debug their connectivity hardware such as routers, firewalls, and access points as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when problems are discovered. By automating time-consuming network management activities, WAN Watch can cut hours off common chores such as making network diagrams, reconfiguring your network, finding appliances that require important updates, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management (RMM) techniques to keep your network operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT staff and your Progent consultant so any potential problems can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the apps. Since the environment is virtualized, it can be ported easily to a different hardware environment without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, retrieve and safeguard data about your network infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your network infrastructure such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior machine learning technology to guard endpoints as well as servers and VMs against new malware assaults such as ransomware and email phishing, which easily evade traditional signature-based AV tools. Progent ASM services safeguard local and cloud-based resources and provides a single platform to automate the entire threat progression including protection, detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Support Desk managed services allow your IT staff to offload Support Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support resources and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a transparent supplement to your in-house support team. User interaction with the Service Desk, delivery of support, escalation, ticket generation and tracking, performance metrics, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your corporate support resources, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of all sizes a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. Besides optimizing the protection and reliability of your IT network, Progent's software/firmware update management services permit your IT staff to focus on more strategic initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to protect against password theft through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Google Android, and other personal devices. With 2FA, when you log into a protected online account and give your password you are requested to verify who you are on a device that only you have and that uses a different network channel. A wide range of out-of-band devices can be used for this second form of ID validation such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You can register several verification devices. For details about Duo two-factor identity validation services, visit Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time management reporting tools designed to integrate with the leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For 24x7x365 Toledo Crypto Cleanup Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.