Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyber pandemic that represents an enterprise-level danger for organizations vulnerable to an assault. Versions of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for many years and still cause harm. More recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as more as yet unnamed newcomers, not only encrypt online files but also infect most configured system backups. Data replicated to off-site disaster recovery sites can also be rendered useless. In a vulnerable environment, it can make automatic recovery hopeless and effectively knocks the datacenter back to zero.

Getting back online applications and information following a ransomware event becomes a race against time as the targeted organization struggles to contain and cleanup the ransomware and to restore enterprise-critical activity. Because ransomware requires time to replicate, assaults are usually launched on weekends, when successful attacks in many cases take longer to discover. This multiplies the difficulty of rapidly mobilizing and orchestrating a capable response team.

Progent provides a variety of services for securing organizations from crypto-ransomware events. Among these are user education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to identify and disable day-zero cyber threats rapidly. Progent in addition can provide the services of expert ransomware recovery consultants with the track record and perseverance to re-deploy a breached system as soon as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the codes to decipher any or all of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET estimates to be approximately $13,000. The other path is to re-install the critical parts of your IT environment. Absent the availability of full system backups, this calls for a wide complement of skills, top notch project management, and the willingness to work continuously until the task is completed.

For two decades, Progent has made available certified expert Information Technology services for businesses in Denver and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of expertise gives Progent the capability to knowledgably determine necessary systems and consolidate the surviving pieces of your network environment following a ransomware event and rebuild them into an operational system.

Progent's security group utilizes best of breed project management tools to orchestrate the complicated recovery process. Progent understands the urgency of working quickly and together with a client's management and IT staff to assign priority to tasks and to put critical systems back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Attack Response
A customer escalated to Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean government sponsored cybercriminals, possibly adopting algorithms leaked from America's National Security Agency. Ryuk targets specific companies with little or no tolerance for disruption and is among the most profitable iterations of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing processes. Most of the client's data protection had been on-line at the start of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of $200,000) and praying for good luck, but in the end called Progent.


"I cannot say enough about the expertise Progent gave us throughout the most stressful period of (our) company's survival. We had little choice but to pay the cyber criminals if not for the confidence the Progent experts gave us. That you were able to get our e-mail and key applications back online in less than one week was something I thought impossible. Every single expert I worked with or messaged at Progent was totally committed on getting our system up and was working 24/7 to bail us out."

Progent worked with the client to quickly identify and prioritize the key services that had to be addressed in order to restart business functions:

  • Windows Active Directory
  • Exchange Server
  • Accounting and Manufacturing Software
To start, Progent adhered to ransomware penetration response industry best practices by stopping lateral movement and clearing infected systems. Progent then began the work of rebuilding Microsoft Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange messaging will not work without Active Directory, and the customer's accounting and MRP system utilized Microsoft SQL, which depends on Windows AD for security authorization to the data.

Within 48 hours, Progent was able to re-build Active Directory services to its pre-attack state. Progent then assisted with rebuilding and storage recovery on the most important servers. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find intact OST files (Outlook Email Off-Line Data Files) on user workstations and laptops in order to recover email messages. A recent off-line backup of the client's financials/MRP software made them able to recover these required services back servicing users. Although major work still had to be done to recover fully from the Ryuk virus, core services were recovered rapidly:


"For the most part, the manufacturing operation showed little impact and we did not miss any customer shipments."

Over the following few weeks important milestones in the recovery project were completed in close cooperation between Progent consultants and the customer:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/AR/Inventory modules were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the desktops and laptops were operational.

"So much of what transpired during the initial response is mostly a haze for me, but our team will not forget the care all of the team put in to give us our company back. I have been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has impressed me and delivered as promised. This time was the most impressive ever."

Conclusion
A probable business extinction disaster was averted due to top-tier professionals, a broad range of technical expertise, and close collaboration. Although in hindsight the ransomware incident detailed here would have been identified and stopped with up-to-date security technology solutions and best practices, user and IT administrator training, and properly executed security procedures for information protection and keeping systems up to date with security patches, the fact is that government-sponsored cyber criminals from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were contributing), thank you for making it so I could get some sleep after we got through the initial fire. Everyone did an impressive job, and if any of your guys is around the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Denver a variety of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation AI capability to uncover new variants of crypto-ransomware that can get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily evade traditional signature-based AV products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to manage the complete malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies packaged within a single agent accessible from a single console. Progent's security and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that addresses your company's unique needs and that helps you prove compliance with legal and industry information security regulations. Progent will assist you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology providers to produce ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products manage and track your backup operations and allow transparent backup and rapid restoration of vital files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss caused by hardware failures, natural calamities, fire, malware such as ransomware, user mistakes, ill-intentioned employees, or software bugs. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security companies to provide web-based control and world-class protection for your inbound and outbound email. The powerful architecture of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne malware. Email Guard's Cloud Protection Layer acts as a first line of defense and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to external attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further level of analysis for inbound email. For outbound email, the on-premises gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for smaller organizations to map out, monitor, reconfigure and debug their networking appliances such as switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores such as making network diagrams, expanding your network, locating devices that need critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system running at peak levels by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent immediately to your specified IT personnel and your assigned Progent engineering consultant so all looming problems can be addressed before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without requiring a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network such as recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based analysis tools to guard endpoints and servers and VMs against new malware assaults such as ransomware and email phishing, which routinely evade traditional signature-matching AV tools. Progent ASM services safeguard on-premises and cloud-based resources and provides a single platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows VSS and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Help Center managed services enable your IT team to outsource Call Center services to Progent or split responsibilities for Service Desk support seamlessly between your internal support team and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a transparent extension of your corporate network support team. User interaction with the Help Desk, delivery of support, escalation, trouble ticket generation and tracking, performance metrics, and management of the support database are cohesive regardless of whether incidents are taken care of by your corporate support staff, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Service Center services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a versatile and affordable solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the protection and reliability of your IT environment, Progent's software/firmware update management services allow your in-house IT team to focus on more strategic initiatives and activities that deliver the highest business value from your network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With 2FA, whenever you sign into a protected online account and enter your password you are asked to confirm your identity via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second form of ID validation such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You may register several validation devices. To learn more about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication services.
For Denver 24x7 CryptoLocker Remediation Help, contact Progent at 800-462-8800 or go to Contact Progent.