Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ConsultantsRansomware has become a too-frequent cyber pandemic that poses an extinction-level danger for businesses of all sizes vulnerable to an assault. Different iterations of ransomware like the Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been replicating for many years and still cause destruction. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus additional unnamed malware, not only encrypt on-line critical data but also infect many available system protection mechanisms. Information replicated to the cloud can also be corrupted. In a poorly architected system, this can render any restore operations hopeless and basically knocks the datacenter back to square one.

Getting back on-line programs and information after a ransomware event becomes a race against the clock as the targeted business struggles to stop lateral movement and cleanup the ransomware and to resume mission-critical operations. Since ransomware requires time to spread, assaults are usually launched at night, when attacks tend to take more time to identify. This multiplies the difficulty of quickly marshalling and coordinating a qualified mitigation team.

Progent offers an assortment of help services for protecting enterprises from ransomware penetrations. These include staff education to help identify and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of modern security appliances with artificial intelligence technology from SentinelOne to identify and extinguish day-zero threats quickly. Progent in addition offers the services of veteran ransomware recovery engineers with the track record and commitment to restore a compromised network as quickly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware attack, sending the ransom demands in cryptocurrency does not ensure that cyber hackers will respond with the keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET averages to be in the range of $13,000. The alternative is to piece back together the essential parts of your Information Technology environment. Without the availability of complete information backups, this calls for a broad range of skill sets, top notch team management, and the capability to work 24x7 until the recovery project is complete.

For two decades, Progent has made available expert IT services for businesses in Lower Manhattan and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have attained high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of experience gives Progent the capability to quickly determine necessary systems and re-organize the surviving pieces of your Information Technology system after a crypto-ransomware attack and configure them into a functioning network.

Progent's recovery group has state-of-the-art project management systems to orchestrate the complicated restoration process. Progent understands the importance of working swiftly and together with a client's management and IT team members to assign priority to tasks and to get key services back on line as fast as humanly possible.

Client Story: A Successful Ransomware Intrusion Response
A business sought out Progent after their network was penetrated by Ryuk crypto-ransomware. Ryuk is believed to have been launched by North Korean state cybercriminals, suspected of using strategies exposed from America's National Security Agency. Ryuk targets specific businesses with little tolerance for disruption and is among the most lucrative iterations of ransomware. High publicized organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing company headquartered in the Chicago metro area with around 500 employees. The Ryuk penetration had shut down all company operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the attack and were damaged. The client was actively seeking loans for paying the ransom (in excess of $200,000) and praying for good luck, but in the end made the decision to use Progent.


"I cannot speak enough about the support Progent gave us during the most fearful time of (our) businesses life. We may have had to pay the hackers behind this attack if not for the confidence the Progent team afforded us. The fact that you were able to get our e-mail and important applications back online faster than one week was something I thought impossible. Each staff member I spoke to or e-mailed at Progent was amazingly focused on getting us restored and was working at all hours on our behalf."

Progent worked with the customer to rapidly determine and prioritize the essential systems that needed to be recovered to make it possible to continue departmental functions:

  • Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed ransomware event response best practices by halting the spread and cleaning systems of viruses. Progent then started the steps of restoring Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange email will not operate without Active Directory, and the businesses' MRP system utilized SQL Server, which needs Windows AD for security authorization to the databases.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery on key applications. All Exchange Server data and attributes were intact, which accelerated the restore of Exchange. Progent was also able to assemble non-encrypted OST data files (Outlook Email Off-Line Data Files) on staff PCs and laptops in order to recover email data. A not too old offline backup of the client's accounting/MRP systems made it possible to return these vital applications back on-line. Although a large amount of work still had to be done to recover completely from the Ryuk attack, critical services were returned to operations quickly:


"For the most part, the production line operation survived unscathed and we delivered all customer shipments."

Over the next few weeks key milestones in the recovery project were completed through tight cooperation between Progent team members and the customer:

  • In-house web sites were brought back up without losing any information.
  • The MailStore Server with over 4 million historical emails was spun up and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control modules were 100% recovered.
  • A new Palo Alto 850 security appliance was deployed.
  • Ninety percent of the user PCs were fully operational.

"A huge amount of what was accomplished in the initial days is mostly a fog for me, but I will not soon forget the care all of your team accomplished to help get our business back. I have been working together with Progent for at least 10 years, maybe more, and every time I needed help Progent has shined and delivered as promised. This situation was the most impressive ever."

Conclusion
A probable business catastrophe was evaded through the efforts of results-oriented experts, a wide array of subject matter expertise, and close teamwork. Although in post mortem the ransomware virus penetration described here could have been disabled with advanced cyber security solutions and ISO/IEC 27001 best practices, team education, and appropriate incident response procedures for data backup and applying software patches, the fact remains that state-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware attack, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), thank you for making it so I could get some sleep after we made it through the initial fire. All of you did an incredible job, and if anyone that helped is visiting the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Lower Manhattan a portfolio of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate modern machine learning capability to uncover new strains of crypto-ransomware that can get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely get by traditional signature-matching anti-virus tools. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to address the complete malware attack progression including protection, identification, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies incorporated within one agent accessible from a unified control. Progent's security and virtualization consultants can assist you to design and implement a ProSight ESP environment that meets your company's specific requirements and that helps you demonstrate compliance with government and industry information protection standards. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate attention. Progent's consultants can also help your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup technology companies to create ProSight Data Protection Services (DPS), a portfolio of management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup operations and enable transparent backup and rapid restoration of critical files, apps, images, and virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to determine which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to provide web-based control and comprehensive security for your email traffic. The powerful architecture of Email Guard managed service combines cloud-based filtering with a local gateway device to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further level of analysis for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to map out, monitor, optimize and troubleshoot their connectivity appliances such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of virtually all devices on your network, monitors performance, and sends alerts when potential issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off common tasks like network mapping, reconfiguring your network, finding appliances that need critical updates, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating at peak levels by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management personnel and your Progent engineering consultant so all looming problems can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved easily to a different hosting environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save as much as 50% of time thrown away searching for vital information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that incorporates cutting edge behavior machine learning tools to guard endpoint devices as well as servers and VMs against modern malware attacks like ransomware and email phishing, which routinely escape traditional signature-based AV tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to address the entire malware attack lifecycle including filtering, detection, containment, cleanup, and post-attack forensics. Key capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Support Center services enable your IT team to offload Help Desk services to Progent or split responsibilities for Help Desk services seamlessly between your internal support resources and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a transparent extension of your core network support resources. End user access to the Service Desk, provision of technical assistance, issue escalation, trouble ticket creation and tracking, performance measurement, and management of the support database are cohesive regardless of whether issues are taken care of by your in-house support staff, by Progent, or both. Find out more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the security and reliability of your computer environment, Progent's patch management services free up time for your IT staff to focus on line-of-business projects and activities that deliver the highest business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity confirmation on Apple iOS, Android, and other personal devices. With Duo 2FA, whenever you sign into a protected application and give your password you are asked to verify who you are on a unit that only you possess and that uses a different network channel. A broad selection of devices can be used for this second means of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You may register several validation devices. To learn more about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time and in-depth management reporting tools designed to integrate with the industry's top ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Lower Manhattan 24/7 Ransomware Repair Support Services, call Progent at 800-462-8800 or go to Contact Progent.