Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Remediation ProfessionalsRansomware has become a modern cyberplague that presents an enterprise-level danger for businesses unprepared for an attack. Different iterations of ransomware such as CrySIS, Fusob, Locky, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. More recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus frequent unnamed malware, not only encrypt online files but also infect most accessible system protection mechanisms. Data replicated to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, this can render automatic recovery impossible and effectively knocks the entire system back to square one.

Getting back online applications and data after a crypto-ransomware attack becomes a sprint against the clock as the victim struggles to stop lateral movement, clear the ransomware, and restore mission-critical operations. Due to the fact that ransomware needs time to spread, attacks are often sprung during nights and weekends, when successful attacks are likely to take longer to uncover. This compounds the difficulty of quickly mobilizing and orchestrating an experienced mitigation team.

Progent offers a range of support services for securing enterprises from ransomware penetrations. These include staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of next-generation security appliances with AI capabilities from SentinelOne to discover and suppress zero-day threats quickly. Progent also can provide the assistance of experienced crypto-ransomware recovery consultants with the talent and commitment to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Recovery Help
After a ransomware event, paying the ransom in cryptocurrency does not provide any assurance that cyber hackers will return the needed keys to decrypt any or all of your files. Kaspersky determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms are often several hundred thousand dollars. For larger enterprises, the ransom demand can be in the millions. The other path is to piece back together the critical elements of your IT environment. Without access to full information backups, this requires a wide range of skill sets, professional project management, and the willingness to work 24x7 until the task is finished.

For twenty years, Progent has offered professional IT services for companies across the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes engineers who have attained advanced certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in financial management and ERP software solutions. This breadth of experience gives Progent the ability to knowledgably ascertain critical systems and re-organize the remaining components of your computer network system after a ransomware penetration and rebuild them into an operational system.

Progent's security team utilizes best of breed project management tools to coordinate the complicated restoration process. Progent understands the importance of acting swiftly and together with a customer's management and Information Technology resources to assign priority to tasks and to get the most important systems back on line as soon as possible.

Case Study: A Successful Ransomware Attack Restoration
A small business contacted Progent after their network system was attacked by the Ryuk ransomware. Ryuk is thought to have been created by Northern Korean state sponsored cybercriminals, suspected of using approaches leaked from America's NSA organization. Ryuk seeks specific organizations with little room for operational disruption and is one of the most lucrative instances of ransomware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in Chicago with around 500 staff members. The Ryuk intrusion had disabled all essential operations and manufacturing capabilities. Most of the client's system backups had been directly accessible at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (in excess of $200,000) and hoping for good luck, but ultimately made the decision to use Progent.


"I can't thank you enough about the expertise Progent gave us during the most stressful time of (our) company's survival. We had little choice but to pay the criminal gangs if it wasn't for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and important applications back online quicker than one week was incredible. Each person I talked with or messaged at Progent was urgently focused on getting us back on-line and was working all day and night on our behalf."

Progent worked hand in hand the customer to rapidly understand and assign priority to the most important areas that needed to be recovered to make it possible to restart company operations:

  • Active Directory
  • Microsoft Exchange Server
  • MRP System
To start, Progent followed AV/Malware Processes event mitigation industry best practices by isolating and disinfecting systems. Progent then began the work of bringing back online Microsoft AD, the heart of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not operate without Active Directory, and the customer's financials and MRP software leveraged Microsoft SQL Server, which depends on Windows AD for authentication to the database.

Within two days, Progent was able to recover Active Directory services to its pre-intrusion state. Progent then helped perform setup and storage recovery on the most important servers. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to assemble local OST data files (Microsoft Outlook Off-Line Data Files) on staff desktop computers and laptops in order to recover mail data. A not too old offline backup of the businesses accounting/ERP software made them able to restore these required services back online for users. Although a large amount of work remained to recover completely from the Ryuk attack, the most important systems were returned to operations rapidly:


"For the most part, the production operation survived unscathed and we delivered all customer orders."

Over the next couple of weeks key milestones in the restoration project were completed through close cooperation between Progent consultants and the customer:

  • In-house web applications were returned to operation without losing any information.
  • The MailStore Server exceeding 4 million archived emails was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory Control functions were completely recovered.
  • A new Palo Alto Networks 850 firewall was set up.
  • Most of the user desktops were back into operation.

"So much of what went on in the initial days is mostly a haze for me, but my team will not forget the countless hours all of you accomplished to help get our company back. I've utilized Progent for the past ten years, maybe more, and each time Progent has impressed me and delivered as promised. This event was the most impressive ever."

Conclusion
A possible business extinction disaster was avoided with dedicated experts, a broad spectrum of knowledge, and tight collaboration. Although in retrospect the crypto-ransomware virus penetration described here could have been shut down with advanced security systems and NIST Cybersecurity Framework best practices, user and IT administrator training, and appropriate security procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, mitigation, and information systems disaster recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for letting me get rested after we got through the initial push. All of you did an fabulous effort, and if anyone is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Minnetonka a portfolio of remote monitoring and security assessment services to assist you to reduce your vulnerability to crypto-ransomware. These services incorporate modern artificial intelligence capability to uncover zero-day variants of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based machine learning technology to guard physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to manage the entire malware attack progression including filtering, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device control, and web filtering via cutting-edge technologies incorporated within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with government and industry data security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also help you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup software providers to produce ProSight Data Protection Services (DPS), a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your data backup operations and allow non-disruptive backup and fast restoration of critical files/folders, applications, images, and VMs. ProSight DPS lets your business recover from data loss resulting from equipment failures, natural disasters, fire, malware like ransomware, user error, ill-intentioned insiders, or software bugs. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top data security companies to deliver centralized control and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with a local gateway appliance to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. The cloud filter serves as a first line of defense and blocks the vast majority of unwanted email from making it to your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized organizations to diagram, track, optimize and debug their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that network maps are always updated, copies and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when issues are discovered. By automating tedious management activities, ProSight WAN Watch can cut hours off common chores like making network diagrams, expanding your network, locating devices that require important updates, or resolving performance problems. Find out more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management techniques to keep your network running efficiently by checking the state of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your designated IT staff and your Progent consultant so that all potential problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Since the environment is virtualized, it can be moved easily to a different hosting solution without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard information related to your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be alerted automatically about impending expirations of SSLs or domains. By updating and managing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents related to managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based analysis tools to defend endpoint devices and physical and virtual servers against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud resources and offers a single platform to manage the entire threat lifecycle including blocking, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Help Desk Managed Services
    Progent's Call Center services enable your IT group to outsource Call Center services to Progent or split activity for Help Desk services transparently between your in-house support team and Progent's extensive roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a transparent supplement to your corporate network support staff. End user interaction with the Service Desk, provision of technical assistance, problem escalation, ticket creation and updates, performance measurement, and maintenance of the service database are consistent regardless of whether incidents are resolved by your internal network support organization, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a versatile and cost-effective alternative for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. Besides maximizing the protection and reliability of your computer environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that derive the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you sign into a secured application and give your password you are requested to confirm your identity via a unit that only you possess and that is accessed using a different network channel. A broad range of out-of-band devices can be utilized as this added form of authentication including a smartphone or watch, a hardware/software token, a landline telephone, etc. You can designate several validation devices. To learn more about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding family of real-time and in-depth reporting tools created to work with the top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-up or machines with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Minnetonka 24/7 Crypto Recovery Consulting, contact Progent at 800-462-8800 or go to Contact Progent.