Ransomware : Your Feared IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become an escalating cyberplague that presents an enterprise-level threat for businesses of all sizes unprepared for an assault. Different versions of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still inflict havoc. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with frequent unnamed newcomers, not only do encryption of on-line critical data but also infect many accessible system protection mechanisms. Information replicated to the cloud can also be encrypted. In a poorly architected environment, it can render any restoration hopeless and basically knocks the datacenter back to square one.

Retrieving applications and data following a crypto-ransomware intrusion becomes a race against time as the victim tries its best to stop the spread and clear the ransomware and to resume mission-critical operations. Since ransomware requires time to replicate, attacks are often sprung during weekends and nights, when successful attacks may take longer to uncover. This multiplies the difficulty of rapidly mobilizing and orchestrating a qualified response team.

Progent offers a variety of solutions for securing enterprises from ransomware attacks. Among these are team training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with AI technology from SentinelOne to detect and quarantine new cyber threats rapidly. Progent in addition offers the services of expert ransomware recovery professionals with the talent and commitment to reconstruct a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Services
Soon after a crypto-ransomware penetration, even paying the ransom in cryptocurrency does not provide any assurance that distant criminals will respond with the needed keys to decrypt any of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the critical components of your IT environment. Without the availability of complete data backups, this calls for a broad range of IT skills, well-coordinated project management, and the ability to work non-stop until the task is over.

For twenty years, Progent has provided expert IT services for businesses in Los Angeles and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top certifications in important technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity engineers have garnered internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in accounting and ERP applications. This breadth of experience provides Progent the capability to efficiently understand necessary systems and organize the surviving pieces of your IT environment after a ransomware event and configure them into a functioning network.

Progent's security group has best of breed project management systems to orchestrate the complicated restoration process. Progent appreciates the importance of acting quickly and in unison with a customer's management and IT team members to assign priority to tasks and to put the most important services back online as fast as possible.

Client Case Study: A Successful Ransomware Penetration Response
A small business escalated to Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored hackers, possibly using technology exposed from the United States NSA organization. Ryuk goes after specific organizations with limited tolerance for operational disruption and is among the most profitable incarnations of crypto-ransomware. Major targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk event had paralyzed all essential operations and manufacturing processes. The majority of the client's backups had been on-line at the start of the intrusion and were eventually encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but ultimately made the decision to use Progent.


"I can't thank you enough in regards to the support Progent provided us throughout the most fearful time of (our) company's survival. We most likely would have paid the criminal gangs if it wasn't for the confidence the Progent group afforded us. That you were able to get our messaging and important servers back in less than one week was something I thought impossible. Every single consultant I talked with or texted at Progent was totally committed on getting us operational and was working at all hours to bail us out."

Progent worked with the client to quickly identify and prioritize the critical applications that needed to be recovered in order to resume business functions:

  • Microsoft Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent followed ransomware event response industry best practices by halting lateral movement and disinfecting systems. Progent then started the work of restoring Microsoft Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Active Directory, and the customer's financials and MRP software used Microsoft SQL, which depends on Active Directory for authentication to the information.

Within 48 hours, Progent was able to re-build Active Directory to its pre-virus state. Progent then charged ahead with reinstallations and storage recovery of needed applications. All Microsoft Exchange Server ties and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to collect intact OST files (Microsoft Outlook Off-Line Folder Files) on various desktop computers in order to recover mail information. A not too old offline backup of the customer's accounting software made it possible to recover these vital services back online. Although a large amount of work remained to recover completely from the Ryuk attack, critical systems were recovered rapidly:


"For the most part, the production line operation showed little impact and we produced all customer orders."

Throughout the following few weeks critical milestones in the restoration process were completed through tight cooperation between Progent engineers and the client:

  • In-house web applications were restored without losing any data.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought online and available for users.
  • CRM/Orders/Invoices/AP/AR/Inventory modules were 100 percent functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the user desktops were operational.

"A lot of what happened in the initial days is nearly entirely a fog for me, but my management will not soon forget the commitment each of the team put in to help get our company back. I've been working together with Progent for the past ten years, maybe more, and each time Progent has outperformed my expectations and delivered. This situation was the most impressive ever."

Conclusion
A probable enterprise-killing disaster was avoided with top-tier professionals, a broad array of IT skills, and close collaboration. Although upon completion of forensics the crypto-ransomware virus incident detailed here would have been shut down with current security systems and best practices, user education, and properly executed security procedures for data backup and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for making it so I could get some sleep after we made it over the initial push. Everyone did an fabulous effort, and if any of your guys is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Los Angeles a portfolio of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services incorporate next-generation AI technology to detect zero-day strains of ransomware that can get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-based AV products. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to address the complete threat progression including protection, detection, mitigation, cleanup, and forensics. Key capabilities include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver economical in-depth security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device management, and web filtering via leading-edge technologies packaged within one agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate attention. Progent can also assist you to set up and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and allow transparent backup and rapid recovery of critical files, applications, system images, and VMs. ProSight DPS helps you recover from data loss resulting from hardware failures, natural calamities, fire, cyber attacks such as ransomware, user error, malicious employees, or application glitches. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top information security companies to provide centralized control and comprehensive security for your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne malware. The cloud filter serves as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a further layer of analysis for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The onsite gateway can also assist Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, optimize and debug their connectivity hardware like routers, firewalls, and wireless controllers as well as servers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network maps are always updated, copies and displays the configuration of almost all devices connected to your network, monitors performance, and sends notices when potential issues are detected. By automating complex management activities, ProSight WAN Watch can knock hours off ordinary chores like making network diagrams, reconfiguring your network, locating devices that require critical updates, or resolving performance issues. Learn more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to keep your network operating at peak levels by checking the state of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected Tier III data center on a fast virtual host configured and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Because the environment is virtualized, it can be ported easily to a different hosting environment without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, find and protect information about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can eliminate up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether you're making improvements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that incorporates next generation behavior-based machine learning tools to defend endpoints and servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. Progent ASM services safeguard local and cloud resources and offers a unified platform to automate the complete malware attack progression including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Support Desk Managed Services
    Progent's Support Center managed services allow your IT staff to offload Call Center services to Progent or split activity for Service Desk support seamlessly between your in-house network support group and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth extension of your core network support group. User access to the Help Desk, provision of technical assistance, escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your in-house support resources, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic IT system. Besides maximizing the protection and reliability of your computer environment, Progent's patch management services free up time for your in-house IT staff to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo enables one-tap identity verification with iOS, Android, and other personal devices. With 2FA, whenever you sign into a secured online account and give your password you are requested to verify your identity on a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized as this second form of ID validation including a smartphone or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. For details about Duo identity validation services, refer to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time and in-depth management reporting plug-ins created to integrate with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or machines with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For Los Angeles 24-Hour CryptoLocker Repair Support Services, contact Progent at 800-462-8800 or go to Contact Progent.