Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an existential danger for businesses of all sizes poorly prepared for an assault. Different iterations of ransomware such as Dharma, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict damage. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus more unnamed newcomers, not only do encryption of online data but also infect most accessible system backups. Data synched to off-site disaster recovery sites can also be encrypted. In a poorly designed data protection solution, this can render any restoration useless and basically sets the datacenter back to square one.

Restoring programs and data after a ransomware intrusion becomes a race against the clock as the targeted organization fights to contain the damage and cleanup the crypto-ransomware and to restore business-critical operations. Because ransomware requires time to move laterally, attacks are often sprung on weekends and holidays, when successful penetrations are likely to take longer to uncover. This multiplies the difficulty of quickly assembling and coordinating an experienced response team.

Progent makes available an assortment of services for protecting businesses from crypto-ransomware events. These include team member education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus installation of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to detect and suppress day-zero cyber threats quickly. Progent also can provide the assistance of seasoned crypto-ransomware recovery professionals with the talent and perseverance to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Restoration Help
After a ransomware event, sending the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to unencrypt any of your files. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is well above the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to re-install the critical parts of your IT environment. Absent access to full system backups, this requires a wide range of IT skills, top notch project management, and the ability to work continuously until the job is over.

For two decades, Progent has provided professional IT services for businesses in Midtown Manhattan and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of experience provides Progent the skills to rapidly determine important systems and consolidate the surviving pieces of your network environment after a ransomware attack and assemble them into an operational network.

Progent's security team of experts has best of breed project management applications to orchestrate the complicated recovery process. Progent appreciates the urgency of working quickly and together with a client's management and Information Technology staff to prioritize tasks and to put critical services back on line as soon as possible.

Customer Case Study: A Successful Ransomware Intrusion Response
A customer hired Progent after their network was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean government sponsored criminal gangs, suspected of using techniques leaked from America's NSA organization. Ryuk attacks specific businesses with little tolerance for operational disruption and is among the most profitable incarnations of ransomware malware. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has around 500 staff members. The Ryuk event had brought down all company operations and manufacturing capabilities. Most of the client's data protection had been on-line at the beginning of the intrusion and were encrypted. The client was evaluating paying the ransom demand (in excess of $200,000) and wishfully thinking for the best, but in the end reached out to Progent.


"I cannot thank you enough about the expertise Progent provided us during the most critical time of (our) businesses existence. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you were able to get our e-mail and important servers back on-line in less than seven days was beyond my wildest dreams. Each consultant I interacted with or messaged at Progent was hell bent on getting our system up and was working at all hours on our behalf."

Progent worked with the customer to quickly assess and prioritize the mission critical systems that had to be restored to make it possible to restart business operations:

  • Active Directory
  • Electronic Mail
  • Financials/MRP
To get going, Progent followed AV/Malware Processes penetration mitigation best practices by isolating and performing virus removal steps. Progent then started the steps of restoring Active Directory, the key technology of enterprise networks built on Microsoft Windows Server technology. Exchange messaging will not work without AD, and the client's financials and MRP applications used Microsoft SQL, which requires Active Directory for authentication to the information.

In less than 48 hours, Progent was able to re-build Active Directory services to its pre-penetration state. Progent then charged ahead with rebuilding and storage recovery of the most important applications. All Exchange schema and attributes were usable, which facilitated the restore of Exchange. Progent was also able to assemble local OST data files (Outlook Email Offline Folder Files) on team PCs and laptops to recover email messages. A not too old offline backup of the customer's manufacturing software made it possible to recover these vital programs back servicing users. Although a large amount of work was left to recover completely from the Ryuk event, core services were restored rapidly:


"For the most part, the assembly line operation was never shut down and we produced all customer shipments."

Throughout the following month important milestones in the restoration project were made in close cooperation between Progent consultants and the customer:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Server exceeding 4 million archived emails was brought online and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Most of the user PCs were back into operation.

"Much of what transpired that first week is mostly a haze for me, but my team will not forget the urgency each of you accomplished to help get our company back. I have trusted Progent for at least 10 years, possibly more, and each time Progent has impressed me and delivered. This event was the most impressive ever."

Conclusion
A possible enterprise-killing catastrophe was evaded through the efforts of hard-working experts, a broad range of IT skills, and tight collaboration. Although upon completion of forensics the crypto-ransomware virus attack described here could have been prevented with current security systems and NIST Cybersecurity Framework best practices, staff training, and well designed security procedures for backup and proper patching controls, the reality is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do fall victim to a ransomware attack, feel confident that Progent's roster of professionals has substantial experience in ransomware virus blocking, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thanks very much for making it so I could get rested after we got over the most critical parts. Everyone did an fabulous job, and if anyone is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Midtown Manhattan a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day variants of ransomware that are able to escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoints against new malware attacks such as ransomware and email phishing, which routinely escape traditional signature-based anti-virus products. ProSight ASM protects local and cloud-based resources and provides a unified platform to manage the entire threat progression including filtering, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer economical multi-layer protection for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge tools incorporated within a single agent accessible from a single console. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your company's unique requirements and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent action. Progent's consultants can also assist your company to set up and verify a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup software companies to create ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products automate and monitor your data backup operations and enable non-disruptive backup and fast recovery of important files, applications, images, plus VMs. ProSight DPS lets you recover from data loss caused by hardware failures, natural calamities, fire, malware like ransomware, user mistakes, malicious insiders, or software bugs. Managed services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to deliver centralized control and world-class protection for your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines cloud-based filtering with an on-premises gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of analysis for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, monitor, reconfigure and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers plus servers, client computers and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are kept updated, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, finding devices that require critical updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating at peak levels by tracking the health of critical computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT staff and your Progent engineering consultant so any looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to a different hardware environment without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time spent searching for vital information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're making improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes cutting edge behavior analysis technology to guard endpoints and servers and VMs against modern malware assaults such as ransomware and email phishing, which easily evade legacy signature-based anti-virus products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to automate the complete malware attack progression including filtering, identification, mitigation, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Center: Call Center Managed Services
    Progent's Call Desk services enable your IT team to outsource Support Desk services to Progent or split responsibilities for support services seamlessly between your internal support resources and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent extension of your internal network support staff. Client access to the Help Desk, delivery of technical assistance, escalation, ticket creation and tracking, performance measurement, and maintenance of the service database are cohesive whether incidents are taken care of by your in-house IT support group, by Progent, or by a combination. Learn more about Progent's outsourced/shared Help Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide businesses of any size a flexible and affordable alternative for evaluating, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving information network. In addition to maximizing the security and reliability of your computer environment, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that derive maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to defend against password theft through the use of two-factor authentication. Duo supports single-tap identity verification with iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a protected application and enter your password you are asked to verify who you are via a device that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used as this added form of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. For details about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time reporting plug-ins created to work with the leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For 24/7/365 Midtown Manhattan CryptoLocker Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.