Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that poses an extinction-level threat for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware such as CrySIS, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and continue to inflict damage. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, plus additional as yet unnamed malware, not only encrypt on-line files but also infect all available system backups. Files synched to cloud environments can also be ransomed. In a poorly designed data protection solution, it can make automated restoration useless and effectively sets the entire system back to zero.

Restoring programs and information following a ransomware outage becomes a sprint against the clock as the targeted business tries its best to stop lateral movement, cleanup the crypto-ransomware, and resume mission-critical operations. Because ransomware needs time to spread, penetrations are usually launched during nights and weekends, when successful penetrations are likely to take more time to identify. This compounds the difficulty of quickly mobilizing and orchestrating a qualified mitigation team.

Progent has a variety of services for securing enterprises from crypto-ransomware penetrations. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security solutions with machine learning capabilities from SentinelOne to identify and suppress new threats quickly. Progent in addition can provide the services of veteran ransomware recovery professionals with the skills and commitment to rebuild a breached system as rapidly as possible.

Progent's Ransomware Recovery Services
Subsequent to a ransomware attack, even paying the ransom in cryptocurrency does not ensure that cyber criminals will provide the keys to unencrypt any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms are typically several hundred thousand dollars. For larger enterprises, the ransom demand can reach millions of dollars. The other path is to setup from scratch the mission-critical elements of your Information Technology environment. Absent the availability of full system backups, this requires a broad complement of IT skills, top notch team management, and the willingness to work non-stop until the job is finished.

For decades, Progent has offered certified expert Information Technology services for companies throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (Refer to Progent's certifications). Progent in addition has expertise in financial management and ERP application software. This breadth of expertise gives Progent the ability to knowledgably identify necessary systems and integrate the surviving parts of your IT system following a ransomware event and assemble them into an operational system.

Progent's security group has state-of-the-art project management systems to coordinate the complicated recovery process. Progent understands the importance of working rapidly and in concert with a customer's management and Information Technology resources to prioritize tasks and to get critical systems back online as fast as possible.

Business Case Study: A Successful Ransomware Incident Recovery
A business escalated to Progent after their company was brought down by the Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, suspected of adopting technology exposed from the United States NSA organization. Ryuk goes after specific organizations with little tolerance for operational disruption and is among the most profitable iterations of ransomware viruses. Major organizations include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has about 500 employees. The Ryuk intrusion had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been directly accessible at the time of the intrusion and were destroyed. The client was actively seeking loans for paying the ransom demand (in excess of $200K) and wishfully thinking for good luck, but in the end engaged Progent.


"I cannot tell you enough about the support Progent provided us during the most fearful period of (our) businesses survival. We had little choice but to pay the Hackers except for the confidence the Progent experts gave us. The fact that you could get our e-mail and important servers back into operation quicker than one week was amazing. Each consultant I worked with or texted at Progent was totally committed on getting us restored and was working non-stop on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the key services that had to be addressed to make it possible to restart departmental operations:

  • Active Directory (AD)
  • Exchange Server
  • Accounting and Manufacturing Software
To begin, Progent followed ransomware event response industry best practices by isolating and disinfecting systems. Progent then initiated the process of recovering Active Directory, the heart of enterprise environments built upon Microsoft technology. Microsoft Exchange Server email will not operate without AD, and the customer's accounting and MRP software utilized Microsoft SQL Server, which depends on Windows AD for access to the databases.

In less than two days, Progent was able to rebuild Active Directory to its pre-virus state. Progent then helped perform rebuilding and storage recovery of needed servers. All Exchange data and configuration information were usable, which facilitated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Data Files) on team workstations and laptops to recover mail information. A not too old off-line backup of the businesses accounting/ERP systems made them able to recover these essential applications back online for users. Although a large amount of work needed to be completed to recover totally from the Ryuk attack, core systems were restored rapidly:


"For the most part, the production manufacturing operation never missed a beat and we made all customer shipments."

During the next few weeks key milestones in the restoration process were achieved in close collaboration between Progent team members and the customer:

  • Internal web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Most of the user desktops and notebooks were being used by staff.

"So much of what occurred those first few days is nearly entirely a blur for me, but our team will not soon forget the care each and every one of the team put in to help get our company back. I have utilized Progent for the past 10 years, possibly more, and each time Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A likely business catastrophe was dodged through the efforts of top-tier professionals, a wide array of IT skills, and close teamwork. Although upon completion of forensics the ransomware attack detailed here would have been stopped with modern cyber security solutions and ISO/IEC 27001 best practices, team education, and well designed incident response procedures for data backup and proper patching controls, the fact remains that government-sponsored hackers from Russia, China and elsewhere are tireless and will continue. If you do fall victim to a crypto-ransomware virus, remember that Progent's team of experts has substantial experience in crypto-ransomware virus defense, remediation, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), thanks very much for letting me get rested after we got over the initial fire. Everyone did an fabulous effort, and if any of your guys is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide businesses in Charlotte a range of online monitoring and security assessment services to help you to minimize the threat from crypto-ransomware. These services include next-generation AI capability to uncover new strains of crypto-ransomware that are able to get past traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely evade traditional signature-based anti-virus tools. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a single platform to manage the entire malware attack lifecycle including filtering, detection, mitigation, remediation, and forensics. Top features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's security and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that addresses your company's unique requirements and that allows you prove compliance with legal and industry information security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent can also assist your company to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup technology providers to produce ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable non-disruptive backup and fast restoration of important files, apps, system images, plus virtual machines. ProSight DPS lets your business avoid data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, human error, malicious employees, or application bugs. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security vendors to provide web-based control and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of threats from making it to your network firewall. This decreases your vulnerability to inbound attacks and saves network bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of analysis for incoming email. For outgoing email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, enhance and debug their connectivity hardware such as routers and switches, firewalls, and wireless controllers as well as servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration information of almost all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common tasks like network mapping, expanding your network, finding devices that need critical updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your IT system running efficiently by checking the state of critical assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your designated IT management staff and your Progent consultant so that all potential problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be moved immediately to a different hosting environment without a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and safeguard data related to your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save up to 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to defend endpoint devices as well as physical and virtual servers against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-based anti-virus tools. Progent ASM services protect on-premises and cloud resources and provides a unified platform to manage the entire threat progression including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Call Center managed services permit your information technology team to outsource Call Center services to Progent or divide responsibilities for support services seamlessly between your in-house network support resources and Progent's nationwide pool of IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent supplement to your corporate network support staff. End user interaction with the Service Desk, provision of technical assistance, escalation, ticket creation and updates, performance metrics, and maintenance of the support database are cohesive whether incidents are resolved by your internal network support group, by Progent's team, or both. Find out more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and cost-effective alternative for assessing, validating, scheduling, applying, and documenting updates to your dynamic information network. In addition to optimizing the protection and reliability of your IT network, Progent's patch management services allow your in-house IT staff to focus on more strategic initiatives and activities that derive the highest business value from your network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to protect against password theft by using two-factor authentication. Duo supports one-tap identity confirmation with Apple iOS, Android, and other personal devices. With Duo 2FA, whenever you sign into a secured application and give your password you are requested to confirm your identity on a unit that only you possess and that uses a separate network channel. A wide selection of devices can be utilized for this added means of authentication such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can designate several validation devices. To learn more about ProSight Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of in-depth management reporting tools created to work with the top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-through or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24x7 Charlotte Ransomware Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.