Ransomware : Your Worst IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that represents an extinction-level danger for organizations vulnerable to an attack. Versions of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been around for many years and still inflict damage. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus more as yet unnamed newcomers, not only do encryption of on-line data files but also infect most configured system backups. Data synched to the cloud can also be ransomed. In a vulnerable system, this can render any restore operations hopeless and effectively knocks the datacenter back to zero.

Retrieving applications and data after a ransomware attack becomes a race against time as the victim fights to stop the spread and clear the ransomware and to restore enterprise-critical operations. Because ransomware requires time to spread, attacks are frequently sprung at night, when penetrations typically take more time to recognize. This multiplies the difficulty of promptly mobilizing and coordinating a capable response team.

Progent provides a variety of solutions for protecting organizations from ransomware events. These include team member training to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to installation of modern security appliances with machine learning technology from SentinelOne to identify and disable zero-day threats rapidly. Progent in addition provides the services of expert crypto-ransomware recovery engineers with the talent and commitment to re-deploy a breached environment as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not guarantee that cyber criminals will return the keys to unencrypt all your files. Kaspersky ascertained that seventeen percent of ransomware victims never restored their data after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the critical parts of your IT environment. Without the availability of full information backups, this requires a broad complement of IT skills, top notch project management, and the capability to work continuously until the recovery project is complete.

For decades, Progent has provided expert IT services for companies in San Diego and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security specialists have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP application software. This breadth of expertise affords Progent the ability to knowledgably determine necessary systems and integrate the surviving components of your Information Technology system after a ransomware penetration and rebuild them into a functioning network.

Progent's recovery team has powerful project management applications to coordinate the complicated restoration process. Progent understands the importance of working rapidly and in unison with a client's management and IT staff to assign priority to tasks and to get critical applications back online as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Virus Restoration
A business escalated to Progent after their organization was crashed by Ryuk crypto-ransomware. Ryuk is thought to have been deployed by Northern Korean state hackers, suspected of adopting strategies leaked from the United States National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is one of the most profitable instances of crypto-ransomware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company located in Chicago with around 500 workers. The Ryuk intrusion had disabled all business operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of $200,000) and praying for good luck, but ultimately called Progent.


"I can�t thank you enough about the expertise Progent gave us throughout the most stressful time of (our) company�s life. We had little choice but to pay the cybercriminals if it wasn�t for the confidence the Progent team provided us. The fact that you were able to get our e-mail and important servers back faster than 1 week was amazing. Every single staff member I got help from or e-mailed at Progent was hell bent on getting us operational and was working at all hours to bail us out."

Progent worked hand in hand the client to rapidly identify and prioritize the essential areas that needed to be restored to make it possible to continue departmental functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent followed Anti-virus event mitigation best practices by stopping the spread and cleaning up infected systems. Progent then started the work of bringing back online Microsoft AD, the heart of enterprise environments built on Microsoft Windows technology. Exchange messaging will not operate without AD, and the client's financials and MRP software leveraged SQL Server, which requires Active Directory for security authorization to the data.

Within 2 days, Progent was able to rebuild Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery of mission critical servers. All Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to find local OST data files (Outlook Offline Folder Files) on staff PCs in order to recover email messages. A recent offline backup of the businesses manufacturing systems made it possible to restore these vital applications back on-line. Although major work still had to be done to recover fully from the Ryuk attack, the most important systems were returned to operations quickly:


"For the most part, the production line operation showed little impact and we did not miss any customer deliverables."

During the next few weeks key milestones in the recovery project were completed through close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Server exceeding 4 million archived messages was brought on-line and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were completely recovered.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Ninety percent of the user desktops were being used by staff.

"A lot of what transpired in the early hours is mostly a haze for me, but we will not forget the commitment all of the team put in to help get our business back. I have entrusted Progent for at least 10 years, possibly more, and each time Progent has come through and delivered. This time was a testament to your capabilities."

Conclusion
A likely company-ending catastrophe was evaded through the efforts of results-oriented experts, a wide spectrum of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus penetration described here would have been identified and disabled with current security technology solutions and security best practices, user and IT administrator education, and appropriate security procedures for data protection and applying software patches, the fact remains that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, removal, and information systems recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for allowing me to get some sleep after we got past the most critical parts. All of you did an impressive effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in San Diego a range of online monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services utilize next-generation machine learning capability to detect new variants of ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based anti-virus products. ProSight ASM protects on-premises and cloud resources and provides a single platform to address the complete malware attack progression including filtering, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you demonstrate compliance with government and industry information security standards. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require immediate action. Progent's consultants can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology providers to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable transparent backup and fast recovery of critical files/folders, apps, system images, plus VMs. ProSight DPS helps you recover from data loss caused by equipment failures, natural disasters, fire, cyber attacks like ransomware, user error, malicious insiders, or software glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security companies to deliver web-based management and world-class protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway appliance provides a further level of analysis for inbound email. For outbound email, the local gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller organizations to map out, track, optimize and debug their connectivity appliances like routers, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that network maps are always updated, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that need important updates, or resolving performance problems. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT staff and your Progent engineering consultant so that all looming problems can be addressed before they can disrupt productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be moved immediately to an alternate hardware solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information related to your network infrastructure, processes, business apps, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youre planning improvements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning technology to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to automate the entire threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Help Center managed services enable your information technology staff to offload Support Desk services to Progent or split activity for Service Desk support seamlessly between your internal support group and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent extension of your corporate support staff. Client access to the Help Desk, delivery of support, escalation, trouble ticket creation and updates, efficiency metrics, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your corporate support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Help Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of all sizes a versatile and affordable alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. In addition to optimizing the security and functionality of your computer network, Progent's software/firmware update management services free up time for your in-house IT team to concentrate on more strategic initiatives and activities that deliver maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Android, and other personal devices. With Duo 2FA, when you log into a secured online account and give your password you are asked to verify your identity on a unit that only you possess and that uses a separate network channel. A broad selection of devices can be utilized for this second means of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You can register several validation devices. To find out more about Duo identity authentication services, visit Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 San Diego CryptoLocker Repair Consultants, contact Progent at 800-462-8800 or go to Contact Progent.