Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that poses an existential danger for organizations unprepared for an assault. Versions of ransomware such as Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause havoc. Recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, as well as daily as yet unnamed viruses, not only encrypt online files but also infiltrate many available system restores and backups. Files synched to the cloud can also be ransomed. In a vulnerable data protection solution, it can render automated restoration hopeless and effectively sets the entire system back to zero.

Getting back on-line programs and data following a ransomware outage becomes a race against the clock as the victim fights to contain and remove the crypto-ransomware and to restore enterprise-critical operations. Due to the fact that ransomware needs time to move laterally, assaults are frequently launched on weekends and holidays, when successful penetrations may take more time to uncover. This multiplies the difficulty of promptly mobilizing and organizing a capable mitigation team.

Progent offers a variety of support services for securing organizations from ransomware events. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security appliances with artificial intelligence technology from SentinelOne to detect and extinguish new cyber attacks rapidly. Progent in addition provides the assistance of veteran crypto-ransomware recovery professionals with the track record and perseverance to restore a compromised system as rapidly as possible.

Progent's Ransomware Recovery Services
Following a crypto-ransomware event, sending the ransom demands in cryptocurrency does not ensure that criminal gangs will provide the keys to decrypt all your files. Kaspersky estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual crypto-ransomware demands, which ZDNET averages to be around $13,000. The alternative is to setup from scratch the critical components of your IT environment. Absent the availability of essential information backups, this requires a broad range of skill sets, top notch team management, and the capability to work 24x7 until the task is completed.

For two decades, Progent has made available expert IT services for businesses in Lubbock and across the US and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained high-level certifications in key technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's security engineers have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience gives Progent the capability to knowledgably ascertain critical systems and integrate the surviving parts of your network system after a ransomware penetration and configure them into a functioning network.

Progent's ransomware team of experts has top notch project management tools to coordinate the sophisticated restoration process. Progent understands the importance of acting rapidly and in concert with a client's management and IT staff to assign priority to tasks and to get the most important applications back on line as fast as possible.

Customer Case Study: A Successful Ransomware Virus Recovery
A business escalated to Progent after their network was taken over by Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean government sponsored hackers, possibly adopting techniques leaked from the U.S. NSA organization. Ryuk targets specific companies with limited room for operational disruption and is one of the most profitable versions of ransomware viruses. Headline targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company based in Chicago with about 500 employees. The Ryuk event had frozen all business operations and manufacturing processes. Most of the client's system backups had been on-line at the start of the attack and were damaged. The client was taking steps for paying the ransom demand (in excess of $200,000) and praying for good luck, but ultimately utilized Progent.


"I can't speak enough in regards to the support Progent gave us during the most stressful period of (our) businesses existence. We may have had to pay the Hackers except for the confidence the Progent experts gave us. The fact that you could get our messaging and production applications back online faster than seven days was earth shattering. Every single staff member I spoke to or communicated with at Progent was totally committed on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked hand in hand the customer to rapidly assess and assign priority to the most important services that had to be addressed to make it possible to restart departmental functions:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting/MRP
To start, Progent adhered to ransomware penetration mitigation best practices by halting lateral movement and disinfecting systems. Progent then began the task of rebuilding Microsoft AD, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the businesses' MRP software utilized Microsoft SQL, which needs Active Directory services for access to the data.

Within two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then charged ahead with setup and hard drive recovery of key servers. All Microsoft Exchange Server schema and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to assemble local OST files (Microsoft Outlook Offline Folder Files) on various desktop computers in order to recover email data. A recent offline backup of the businesses manufacturing software made them able to restore these required programs back servicing users. Although a lot of work remained to recover completely from the Ryuk damage, critical systems were returned to operations quickly:


"For the most part, the assembly line operation survived unscathed and we delivered all customer shipments."

Throughout the next few weeks important milestones in the recovery project were made in tight collaboration between Progent engineers and the client:

  • Internal web sites were brought back up with no loss of data.
  • The MailStore Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/AP/Accounts Receivables/Inventory Control functions were fully restored.
  • A new Palo Alto 850 security appliance was installed and configured.
  • Ninety percent of the user desktops and notebooks were functioning as before the incident.

"So much of what happened in the initial days is mostly a fog for me, but I will not soon forget the care each and every one of the team accomplished to help get our business back. I have trusted Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered. This event was a life saver."

Conclusion
A potential company-ending catastrophe was dodged due to hard-working professionals, a broad spectrum of technical expertise, and close teamwork. Although in hindsight the ransomware attack described here should have been identified and disabled with modern security systems and ISO/IEC 27001 best practices, user training, and well thought out incident response procedures for data backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incursion, feel confident that Progent's roster of experts has substantial experience in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others who were involved), thank you for letting me get some sleep after we got over the initial push. All of you did an amazing effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Lubbock a portfolio of remote monitoring and security assessment services designed to assist you to reduce the threat from ransomware. These services utilize modern AI capability to detect new strains of ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which routinely escape legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to automate the entire malware attack lifecycle including filtering, identification, containment, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable in-depth protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security threats from all vectors. ProSight ESP provides firewall protection, penetration alarms, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you prove compliance with legal and industry data security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also help you to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology providers to create ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and track your backup processes and allow transparent backup and rapid restoration of important files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, user mistakes, malicious insiders, or application bugs. Managed backup services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security vendors to provide web-based control and comprehensive security for all your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway device adds a further layer of analysis for inbound email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized businesses to map out, monitor, optimize and debug their networking hardware such as routers, firewalls, and access points plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and sends alerts when issues are discovered. By automating tedious management activities, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, expanding your network, locating appliances that need critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your network running efficiently by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted automatically to your specified IT management personnel and your Progent consultant so all looming problems can be resolved before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, find and safeguard data related to your IT infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By cleaning up and managing your network documentation, you can save as much as half of time spent looking for vital information about your network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that incorporates next generation behavior machine learning technology to guard endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which easily escape traditional signature-based anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and offers a unified platform to automate the entire threat progression including blocking, identification, containment, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Support Center managed services allow your information technology staff to offload Support Desk services to Progent or divide responsibilities for support services transparently between your in-house network support team and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth supplement to your in-house network support team. End user access to the Service Desk, provision of support services, escalation, trouble ticket generation and tracking, efficiency measurement, and management of the support database are cohesive whether issues are resolved by your core IT support staff, by Progent, or a mix of the two. Read more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer organizations of all sizes a flexible and cost-effective solution for evaluating, validating, scheduling, implementing, and tracking updates to your dynamic IT system. In addition to maximizing the protection and functionality of your computer network, Progent's software/firmware update management services permit your in-house IT staff to concentrate on line-of-business projects and activities that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication services incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Android, and other personal devices. Using 2FA, whenever you sign into a secured application and give your password you are asked to confirm who you are on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be used for this added form of ID validation including a smartphone or wearable, a hardware token, a landline telephone, etc. You can register multiple validation devices. To find out more about Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of in-depth management reporting tools created to integrate with the industry's top ticketing and remote network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, reduces management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Lubbock 24/7 Crypto Repair Consultants, contact Progent at 800-462-8800 or go to Contact Progent.