Ransomware : Your Feared Information Technology Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that represents an extinction-level danger for businesses poorly prepared for an assault. Different versions of ransomware like the CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been around for years and still inflict harm. Newer variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with additional unnamed newcomers, not only do encryption of on-line data but also infiltrate most accessible system backups. Files synched to cloud environments can also be encrypted. In a vulnerable data protection solution, it can make any recovery useless and effectively sets the datacenter back to square one.

Restoring programs and information after a ransomware attack becomes a race against time as the victim tries its best to stop the spread and clear the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware needs time to move laterally, attacks are usually launched on weekends, when successful attacks tend to take longer to notice. This compounds the difficulty of rapidly marshalling and coordinating an experienced response team.

Progent provides a variety of solutions for securing organizations from ransomware attacks. These include team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of modern security solutions with artificial intelligence technology from SentinelOne to identify and extinguish new cyber threats rapidly. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the track record and perseverance to restore a breached network as urgently as possible.

Progent's Ransomware Restoration Help
Soon after a ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the codes to decipher any or all of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the typical crypto-ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to setup from scratch the key parts of your Information Technology environment. Absent access to full information backups, this requires a wide range of skill sets, professional team management, and the capability to work non-stop until the recovery project is complete.

For decades, Progent has offered professional Information Technology services for companies in Los Angeles and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience gives Progent the skills to quickly ascertain necessary systems and re-organize the surviving pieces of your Information Technology system after a ransomware penetration and assemble them into an operational system.

Progent's ransomware team of experts utilizes best of breed project management applications to orchestrate the complex restoration process. Progent knows the urgency of acting rapidly and together with a customer's management and Information Technology team members to assign priority to tasks and to put critical applications back on-line as fast as humanly possible.

Business Case Study: A Successful Ransomware Incident Recovery
A business contacted Progent after their organization was attacked by the Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored hackers, possibly adopting approaches leaked from the United States NSA organization. Ryuk attacks specific organizations with little or no room for disruption and is one of the most lucrative iterations of ransomware viruses. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing company located in the Chicago metro area with around 500 staff members. The Ryuk attack had paralyzed all company operations and manufacturing processes. Most of the client's data backups had been on-line at the beginning of the intrusion and were damaged. The client was pursuing financing for paying the ransom (more than $200,000) and wishfully thinking for good luck, but ultimately reached out to Progent.


"I cannot speak enough about the support Progent provided us throughout the most fearful time of (our) businesses existence. We would have paid the criminal gangs if it wasn't for the confidence the Progent group afforded us. The fact that you could get our e-mail system and production applications back on-line faster than seven days was incredible. Every single person I spoke to or e-mailed at Progent was laser focused on getting my company operational and was working at all hours to bail us out."

Progent worked hand in hand the customer to quickly assess and prioritize the critical services that had to be addressed to make it possible to continue company operations:

  • Active Directory (AD)
  • Electronic Mail
  • Financials/MRP
To begin, Progent adhered to ransomware penetration response best practices by halting lateral movement and cleaning up infected systems. Progent then started the work of recovering Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange email will not function without Active Directory, and the customer's accounting and MRP applications utilized Microsoft SQL, which requires Active Directory for access to the databases.

In less than two days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then performed rebuilding and storage recovery on mission critical servers. All Exchange ties and attributes were intact, which accelerated the restore of Exchange. Progent was able to collect local OST data files (Microsoft Outlook Off-Line Folder Files) on various workstations in order to recover mail messages. A recent off-line backup of the client's accounting software made it possible to recover these vital applications back available to users. Although significant work still had to be done to recover totally from the Ryuk virus, essential systems were returned to operations rapidly:


"For the most part, the production manufacturing operation showed little impact and we did not miss any customer shipments."

During the next few weeks critical milestones in the recovery project were achieved through tight cooperation between Progent consultants and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server containing more than 4 million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were completely operational.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"Much of what transpired in the initial days is nearly entirely a haze for me, but my team will not soon forget the countless hours each of the team put in to give us our business back. I have been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has shined and delivered. This situation was a Herculean accomplishment."

Conclusion
A potential business extinction catastrophe was averted due to top-tier professionals, a broad range of IT skills, and tight teamwork. Although upon completion of forensics the ransomware virus incident detailed here should have been identified and blocked with current security solutions and NIST Cybersecurity Framework best practices, staff education, and properly executed security procedures for backup and applying software patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were contributing), thank you for letting me get rested after we got over the most critical parts. Everyone did an incredible job, and if anyone is in the Chicago area, dinner is on me!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Los Angeles a variety of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services utilize modern machine learning capability to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack progression including filtering, detection, containment, cleanup, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge tools incorporated within one agent managed from a single console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help your company to install and test a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services, a portfolio of management outsourcing plans that provide backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable transparent backup and fast restoration of critical files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by hardware breakdown, natural calamities, fire, cyber attacks such as ransomware, human mistakes, malicious employees, or application bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the technology of leading information security companies to deliver centralized control and world-class protection for your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your vulnerability to inbound threats and saves network bandwidth and storage. Email Guard's onsite security gateway appliance adds a deeper level of analysis for incoming email. For outgoing email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email that stays within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map out, track, optimize and troubleshoot their connectivity appliances like routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept updated, copies and manages the configuration of almost all devices on your network, monitors performance, and generates notices when issues are discovered. By automating tedious management activities, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, reconfiguring your network, locating appliances that require critical updates, or resolving performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to keep your IT system running efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent consultant so that any potential issues can be resolved before they have a chance to impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be moved easily to an alternate hardware environment without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information related to your network infrastructure, procedures, applications, and services. You can quickly locate passwords or IP addresses and be alerted about impending expirations of SSL certificates or domains. By updating and managing your network documentation, you can save up to half of time thrown away trying to find critical information about your network. ProSight IT Asset Management includes a common location for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior-based analysis tools to guard endpoints and servers and VMs against modern malware attacks such as ransomware and file-less exploits, which easily escape legacy signature-based AV tools. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to automate the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Center managed services permit your IT group to offload Help Desk services to Progent or split responsibilities for support services seamlessly between your internal network support staff and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk offers a transparent supplement to your corporate network support group. End user interaction with the Service Desk, provision of support, issue escalation, trouble ticket creation and tracking, performance measurement, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your internal network support group, by Progent, or by a combination. Read more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of all sizes a flexible and cost-effective alternative for assessing, validating, scheduling, implementing, and documenting updates to your dynamic information network. Besides maximizing the protection and functionality of your IT environment, Progent's patch management services allow your in-house IT staff to focus on line-of-business projects and activities that derive maximum business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a secured online account and give your password you are requested to verify your identity via a device that only you have and that uses a different network channel. A wide selection of devices can be used as this added form of authentication including a smartphone or watch, a hardware token, a landline phone, etc. You can designate several verification devices. To learn more about ProSight Duo two-factor identity validation services, refer to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of in-depth reporting plug-ins designed to integrate with the industry's leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Los Angeles Crypto-Ransomware Remediation Consulting, call Progent at 800-462-8800 or go to Contact Progent.