Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that poses an existential threat for organizations unprepared for an attack. Different iterations of crypto-ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been replicating for many years and continue to cause damage. Newer versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, as well as more as yet unnamed newcomers, not only encrypt online data files but also infect any configured system protection mechanisms. Files synchronized to the cloud can also be corrupted. In a poorly designed data protection solution, this can render automatic restoration hopeless and effectively sets the entire system back to zero.

Retrieving services and information following a crypto-ransomware event becomes a sprint against the clock as the targeted organization fights to contain the damage, remove the virus, and restore enterprise-critical operations. Since crypto-ransomware needs time to spread, penetrations are usually launched during weekends and nights, when penetrations may take longer to recognize. This multiplies the difficulty of promptly marshalling and organizing a qualified response team.

Progent offers a range of services for securing organizations from ransomware events. These include staff education to become familiar with and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security solutions with machine learning technology from SentinelOne to detect and disable day-zero threats intelligently. Progent also offers the services of seasoned ransomware recovery consultants with the track record and perseverance to re-deploy a compromised system as urgently as possible.

Progent's Ransomware Recovery Help
Soon after a crypto-ransomware penetration, sending the ransom demands in cryptocurrency does not guarantee that cyber hackers will provide the needed codes to decrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are typically several hundred thousand dollars. For larger organizations, the ransom can be in the millions of dollars. The alternative is to setup from scratch the mission-critical elements of your IT environment. Without the availability of complete information backups, this requires a wide range of skill sets, professional team management, and the willingness to work continuously until the job is done.

For two decades, Progent has provided professional IT services for companies throughout the United States and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has experience in accounting and ERP application software. This breadth of expertise affords Progent the ability to efficiently determine necessary systems and organize the surviving parts of your Information Technology system following a ransomware attack and assemble them into a functioning system.

Progent's security group deploys top notch project management tools to orchestrate the complex restoration process. Progent knows the importance of working quickly and in unison with a customer's management and Information Technology staff to prioritize tasks and to put essential applications back on-line as soon as possible.

Customer Case Study: A Successful Ransomware Penetration Response
A client escalated to Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is thought to have been launched by North Korean government sponsored criminal gangs, possibly adopting techniques exposed from the U.S. NSA organization. Ryuk attacks specific companies with little ability to sustain disruption and is one of the most profitable incarnations of ransomware malware. Major targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has around 500 employees. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the start of the intrusion and were damaged. The client was evaluating paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end called Progent.


"I cannot thank you enough about the expertise Progent gave us throughout the most stressful time of (our) businesses existence. We would have paid the hackers behind this attack except for the confidence the Progent experts afforded us. The fact that you were able to get our e-mail system and key servers back on-line faster than seven days was beyond my wildest dreams. Every single person I talked with or texted at Progent was totally committed on getting us working again and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly identify and assign priority to the critical services that had to be addressed to make it possible to resume company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident response best practices by halting the spread and clearing up compromised systems. Progent then started the process of rebuilding Active Directory, the foundation of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Active Directory, and the businesses' financials and MRP system used Microsoft SQL, which needs Active Directory services for access to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and hard drive recovery on key applications. All Microsoft Exchange Server ties and attributes were intact, which greatly helped the rebuild of Exchange. Progent was able to locate local OST data files (Outlook Off-Line Data Files) on staff PCs in order to recover email messages. A not too old off-line backup of the businesses financials/ERP systems made them able to restore these essential applications back servicing users. Although significant work needed to be completed to recover completely from the Ryuk virus, the most important systems were returned to operations rapidly:


"For the most part, the manufacturing operation never missed a beat and we did not miss any customer sales."

During the next few weeks critical milestones in the recovery process were accomplished through close collaboration between Progent team members and the customer:

  • Self-hosted web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control capabilities were fully restored.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the desktops and laptops were operational.

"A lot of what transpired that first week is mostly a blur for me, but my management will not soon forget the countless hours all of you accomplished to help get our company back. I've been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This situation was a stunning achievement."

Conclusion
A possible business catastrophe was avoided due to dedicated professionals, a broad array of knowledge, and tight teamwork. Although in hindsight the ransomware virus incident described here would have been identified and prevented with modern cyber security solutions and security best practices, staff education, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the reality is that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incident, remember that Progent's team of professionals has proven experience in ransomware virus blocking, cleanup, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we made it through the initial push. Everyone did an incredible job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Los Angeles a portfolio of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services include modern AI capability to uncover zero-day variants of ransomware that are able to evade legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based machine learning technology to defend physical and virtual endpoints against new malware assaults such as ransomware and email phishing, which easily get by traditional signature-based anti-virus tools. ProSight ASM protects on-premises and cloud resources and provides a single platform to automate the entire threat lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering via cutting-edge tools incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with government and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent can also assist your company to set up and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and enable non-disruptive backup and fast recovery of critical files/folders, applications, images, and virtual machines. ProSight DPS lets you recover from data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, human mistakes, malicious insiders, or software bugs. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to deliver web-based management and comprehensive protection for your email traffic. The hybrid architecture of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne threats. The cloud filter acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device adds a further level of analysis for incoming email. For outgoing email, the onsite gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also help Exchange Server to monitor and safeguard internal email that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, optimize and debug their networking appliances like routers and switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept current, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding appliances that require important software patches, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management technology to help keep your network running efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management staff and your assigned Progent consultant so all looming issues can be addressed before they can impact productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hosting environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSL certificates or warranties. By cleaning up and organizing your IT documentation, you can eliminate up to half of time wasted looking for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior analysis technology to defend endpoint devices and physical and virtual servers against new malware attacks such as ransomware and email phishing, which easily get by traditional signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a single platform to address the complete threat lifecycle including blocking, identification, mitigation, remediation, and forensics. Top features include one-click rollback with Windows VSS and automatic system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Center: Support Desk Managed Services
    Progent's Support Desk services allow your IT group to outsource Support Desk services to Progent or split activity for support services transparently between your internal network support resources and Progent's extensive roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth supplement to your corporate support resources. End user interaction with the Service Desk, provision of technical assistance, escalation, ticket generation and updates, efficiency measurement, and maintenance of the support database are cohesive whether incidents are resolved by your corporate IT support staff, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of any size a flexible and cost-effective alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. Besides optimizing the protection and functionality of your computer network, Progent's software/firmware update management services permit your in-house IT team to concentrate on line-of-business initiatives and tasks that derive the highest business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo technology to protect against compromised passwords by using two-factor authentication. Duo enables single-tap identity verification with Apple iOS, Google Android, and other personal devices. With 2FA, whenever you sign into a secured application and enter your password you are requested to verify your identity via a device that only you possess and that is accessed using a different network channel. A wide range of devices can be utilized as this second form of ID validation such as a smartphone or wearable, a hardware token, a landline phone, etc. You may register multiple validation devices. To find out more about ProSight Duo identity authentication services, go to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time and in-depth reporting utilities designed to integrate with the top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Los Angeles CryptoLocker Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.