Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become an escalating cyber pandemic that presents an extinction-level threat for businesses vulnerable to an attack. Versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. Newer strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, plus frequent as yet unnamed malware, not only encrypt online information but also infect any accessible system protection mechanisms. Files replicated to the cloud can also be rendered useless. In a vulnerable system, this can render automatic restoration hopeless and basically knocks the network back to zero.

Getting back services and data following a ransomware intrusion becomes a sprint against time as the victim fights to contain and cleanup the ransomware and to restore mission-critical activity. Because ransomware needs time to move laterally, assaults are frequently sprung at night, when attacks tend to take more time to identify. This multiplies the difficulty of rapidly assembling and organizing an experienced mitigation team.

Progent has a range of services for securing businesses from ransomware attacks. Among these are staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security gateways with AI technology from SentinelOne to discover and extinguish day-zero cyber attacks automatically. Progent in addition offers the services of veteran ransomware recovery engineers with the track record and perseverance to restore a breached environment as rapidly as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will return the keys to decrypt all your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the key parts of your Information Technology environment. Absent access to complete information backups, this calls for a wide range of IT skills, top notch team management, and the willingness to work non-stop until the recovery project is done.

For two decades, Progent has made available professional IT services for companies in San Diego and across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have attained advanced certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of experience gives Progent the capability to knowledgably determine critical systems and integrate the remaining components of your Information Technology system after a crypto-ransomware event and rebuild them into an operational system.

Progent's ransomware team of experts utilizes best of breed project management systems to coordinate the sophisticated restoration process. Progent appreciates the urgency of acting rapidly and together with a customer's management and Information Technology team members to assign priority to tasks and to put critical services back on line as soon as possible.

Customer Story: A Successful Ransomware Virus Recovery
A customer escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is generally considered to have been developed by Northern Korean government sponsored hackers, possibly adopting approaches exposed from the United States National Security Agency. Ryuk attacks specific businesses with little tolerance for operational disruption and is one of the most lucrative iterations of crypto-ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area with around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing processes. The majority of the client's backups had been online at the time of the attack and were destroyed. The client considered paying the ransom demand (more than $200,000) and wishfully thinking for the best, but ultimately brought in Progent.


"I can't speak enough about the care Progent gave us during the most critical period of (our) businesses life. We had little choice but to pay the cyber criminals except for the confidence the Progent experts gave us. The fact that you were able to get our e-mail system and essential applications back in less than five days was amazing. Each staff member I talked with or messaged at Progent was urgently focused on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly get our arms around and assign priority to the mission critical elements that needed to be recovered to make it possible to restart business operations:

  • Active Directory (AD)
  • Exchange Server
  • Financials/MRP
To start, Progent adhered to ransomware event response industry best practices by stopping lateral movement and clearing infected systems. Progent then began the task of bringing back online Microsoft Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Exchange messaging will not operate without AD, and the customer's financials and MRP applications used Microsoft SQL Server, which requires Windows AD for security authorization to the databases.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then assisted with setup and hard drive recovery on mission critical applications. All Exchange ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Offline Folder Files) on team desktop computers to recover email information. A not too old off-line backup of the customer's accounting software made them able to return these vital programs back servicing users. Although a lot of work was left to recover completely from the Ryuk virus, core systems were recovered quickly:


"For the most part, the assembly line operation was never shut down and we did not miss any customer shipments."

Throughout the next couple of weeks critical milestones in the recovery process were accomplished in close cooperation between Progent engineers and the customer:

  • Internal web applications were returned to operation with no loss of data.
  • The MailStore Exchange Server containing more than four million archived emails was spun up and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory Control capabilities were 100% restored.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the user desktops and notebooks were being used by staff.

"A lot of what happened during the initial response is mostly a fog for me, but we will not forget the care all of the team put in to give us our business back. I have trusted Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A potential enterprise-killing disaster was averted through the efforts of top-tier experts, a wide array of technical expertise, and tight collaboration. Although in retrospect the crypto-ransomware virus attack detailed here should have been shut down with up-to-date security solutions and ISO/IEC 27001 best practices, staff education, and appropriate security procedures for information protection and applying software patches, the reality is that government-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for making it so I could get rested after we got past the most critical parts. Everyone did an impressive job, and if anyone is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in San Diego a variety of online monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services include next-generation machine learning technology to uncover zero-day strains of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to address the entire malware attack lifecycle including protection, detection, mitigation, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, penetration alerts, endpoint management, and web filtering via cutting-edge tools packaged within a single agent accessible from a single console. Progent's data protection and virtualization experts can assist your business to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that allows you prove compliance with government and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent can also help you to set up and verify a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover quickly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your backup processes and enable non-disruptive backup and fast restoration of critical files/folders, apps, images, plus VMs. ProSight DPS helps your business protect against data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned employees, or software glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to provide centralized management and world-class security for your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's Cloud Protection Layer serves as a first line of defense and keeps most unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's onsite gateway appliance adds a deeper layer of inspection for inbound email. For outgoing email, the local security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that stays within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map out, monitor, enhance and troubleshoot their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept current, captures and manages the configuration information of almost all devices on your network, tracks performance, and sends alerts when issues are discovered. By automating time-consuming network management activities, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating devices that need critical updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system operating efficiently by checking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted automatically to your designated IT personnel and your Progent engineering consultant so that any potential problems can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware environment without a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior-based analysis technology to guard endpoint devices and physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-based AV products. Progent ASM services safeguard on-premises and cloud resources and provides a unified platform to automate the entire malware attack progression including protection, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Support Desk managed services allow your information technology team to offload Call Center services to Progent or split responsibilities for Service Desk support transparently between your in-house network support team and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth extension of your internal network support organization. Client interaction with the Help Desk, delivery of support, issue escalation, ticket creation and updates, efficiency metrics, and maintenance of the service database are consistent whether issues are resolved by your internal support staff, by Progent's team, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management offer organizations of any size a flexible and affordable alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving information system. Besides optimizing the security and reliability of your computer network, Progent's patch management services free up time for your IT staff to focus on more strategic projects and activities that derive the highest business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, whenever you log into a secured online account and give your password you are asked to confirm your identity on a device that only you have and that uses a different network channel. A broad selection of out-of-band devices can be utilized for this added means of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can designate multiple validation devices. For details about ProSight Duo two-factor identity authentication services, see Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time and in-depth management reporting tools created to work with the industry's leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For San Diego 24/7 CryptoLocker Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.