Ransomware : Your Feared IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that poses an existential threat for organizations poorly prepared for an assault. Multiple generations of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for many years and still inflict havoc. Modern versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as daily as yet unnamed newcomers, not only encrypt on-line data files but also infect all configured system protection mechanisms. Files replicated to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, this can render automatic restoration hopeless and effectively sets the datacenter back to zero.

Restoring applications and data following a ransomware intrusion becomes a sprint against time as the targeted organization struggles to stop the spread and clear the virus and to resume business-critical activity. Because ransomware requires time to replicate, penetrations are usually sprung during nights and weekends, when penetrations tend to take more time to recognize. This compounds the difficulty of quickly marshalling and coordinating a capable response team.

Progent provides an assortment of solutions for securing organizations from crypto-ransomware events. These include team education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with AI capabilities from SentinelOne to identify and quarantine zero-day threats rapidly. Progent also provides the services of experienced crypto-ransomware recovery engineers with the skills and commitment to restore a breached system as quickly as possible.

Progent's Ransomware Recovery Help
Following a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to decrypt any of your data. Kaspersky Labs determined that seventeen percent of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The other path is to piece back together the vital components of your Information Technology environment. Without the availability of full information backups, this calls for a wide complement of IT skills, professional project management, and the ability to work non-stop until the recovery project is complete.

For two decades, Progent has made available expert IT services for businesses in Lubbock and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have been awarded advanced certifications in important technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience provides Progent the ability to quickly identify critical systems and consolidate the remaining pieces of your computer network environment after a ransomware attack and assemble them into an operational network.

Progent's recovery team has top notch project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of acting rapidly and in unison with a customer's management and Information Technology team members to prioritize tasks and to put the most important services back online as soon as possible.

Case Study: A Successful Crypto-Ransomware Incident Restoration
A small business engaged Progent after their network was crashed by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, possibly adopting techniques leaked from America's NSA organization. Ryuk seeks specific businesses with little ability to sustain operational disruption and is one of the most lucrative examples of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has about 500 staff members. The Ryuk attack had disabled all essential operations and manufacturing processes. The majority of the client's backups had been directly accessible at the time of the intrusion and were encrypted. The client was evaluating paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately called Progent.


"I cannot thank you enough in regards to the expertise Progent gave us during the most fearful time of (our) company's life. We may have had to pay the cybercriminals if not for the confidence the Progent group provided us. That you could get our messaging and critical applications back faster than one week was earth shattering. Each consultant I talked with or communicated with at Progent was amazingly focused on getting us working again and was working day and night on our behalf."

Progent worked with the customer to rapidly assess and assign priority to the critical services that needed to be recovered to make it possible to continue company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent followed Anti-virus event mitigation best practices by stopping lateral movement and clearing up compromised systems. Progent then initiated the task of recovering Windows Active Directory, the foundation of enterprise environments built upon Microsoft technology. Exchange email will not work without Windows AD, and the businesses' MRP software utilized Microsoft SQL Server, which needs Windows AD for access to the databases.

Within 2 days, Progent was able to restore Active Directory services to its pre-attack state. Progent then accomplished reinstallations and hard drive recovery of the most important systems. All Exchange data and configuration information were usable, which greatly helped the restore of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Off-Line Data Files) on staff workstations in order to recover email messages. A not too old offline backup of the businesses accounting/ERP systems made them able to recover these essential programs back on-line. Although significant work needed to be completed to recover fully from the Ryuk virus, core systems were restored rapidly:


"For the most part, the manufacturing operation showed little impact and we produced all customer shipments."

During the following month key milestones in the recovery project were completed in tight cooperation between Progent consultants and the client:

  • Self-hosted web applications were brought back up with no loss of data.
  • The MailStore Microsoft Exchange Server exceeding four million historical emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory capabilities were fully recovered.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • 90% of the user desktops were fully operational.

"So much of what was accomplished those first few days is mostly a fog for me, but my management will not forget the urgency all of the team accomplished to help get our company back. I've utilized Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered. This situation was the most impressive ever."

Conclusion
A probable business catastrophe was dodged by results-oriented experts, a wide array of subject matter expertise, and close collaboration. Although in retrospect the ransomware incident described here should have been prevented with current cyber security systems and security best practices, user education, and well designed incident response procedures for backup and keeping systems up to date with security patches, the reality remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a crypto-ransomware virus, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, remediation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thank you for letting me get rested after we made it through the initial fire. Everyone did an impressive job, and if any of your guys is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Lubbock a variety of online monitoring and security assessment services to assist you to minimize your vulnerability to crypto-ransomware. These services include modern machine learning technology to uncover zero-day variants of ransomware that can get past traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's next generation behavior machine learning tools to defend physical and virtual endpoint devices against new malware assaults like ransomware and file-less exploits, which easily get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and offers a single platform to automate the complete threat progression including blocking, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback with Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth protection for physical servers and virtual machines, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering through cutting-edge technologies incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization experts can help your business to design and configure a ProSight ESP deployment that meets your organization's specific requirements and that helps you prove compliance with government and industry information protection regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent action. Progent can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup operations and enable transparent backup and rapid restoration of important files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural disasters, fire, malware such as ransomware, human error, malicious employees, or application glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to deliver centralized control and world-class protection for all your inbound and outbound email. The hybrid architecture of Email Guard integrates a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a first line of defense and keeps most threats from making it to your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's on-premises gateway appliance adds a further layer of inspection for inbound email. For outbound email, the on-premises security gateway offers AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your security perimeter. For more information, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map, monitor, reconfigure and debug their connectivity hardware such as switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always current, copies and manages the configuration information of virtually all devices connected to your network, tracks performance, and sends notices when potential issues are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off common chores such as network mapping, reconfiguring your network, finding devices that need critical software patches, or identifying the cause of performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running efficiently by tracking the health of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT personnel and your Progent consultant so all looming problems can be resolved before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, maintain, find and safeguard information about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time spent trying to find vital information about your IT network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT data. Whether you're planning enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based analysis tools to guard endpoints as well as servers and VMs against modern malware attacks such as ransomware and email phishing, which easily get by traditional signature-based anti-virus tools. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to automate the entire threat progression including protection, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Support Center managed services enable your IT staff to offload Call Center services to Progent or divide activity for Service Desk support transparently between your in-house support group and Progent's nationwide roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless supplement to your corporate network support resources. User interaction with the Help Desk, delivery of support, escalation, trouble ticket generation and tracking, efficiency metrics, and management of the service database are cohesive regardless of whether incidents are resolved by your core network support organization, by Progent's team, or both. Read more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking updates to your dynamic IT network. In addition to optimizing the security and functionality of your IT network, Progent's patch management services free up time for your IT team to focus on line-of-business initiatives and activities that derive the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication managed services utilize Cisco's Duo technology to protect against compromised passwords by using two-factor authentication. Duo enables one-tap identity verification with iOS, Android, and other out-of-band devices. Using 2FA, whenever you log into a secured application and enter your password you are requested to verify who you are via a device that only you possess and that is accessed using a separate network channel. A wide range of devices can be used as this added form of authentication including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. For details about ProSight Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time and in-depth management reporting tools designed to work with the top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues like spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Lubbock 24/7/365 Crypto Repair Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.