Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that presents an existential danger for businesses of all sizes unprepared for an assault. Different iterations of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict destruction. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as daily as yet unnamed viruses, not only encrypt on-line data files but also infiltrate most available system protection mechanisms. Files synched to the cloud can also be encrypted. In a vulnerable system, this can render any recovery hopeless and basically sets the network back to zero.

Restoring applications and information following a ransomware attack becomes a sprint against time as the targeted business tries its best to contain and cleanup the crypto-ransomware and to restore business-critical operations. Due to the fact that ransomware needs time to spread, assaults are frequently sprung at night, when attacks in many cases take more time to identify. This multiplies the difficulty of quickly assembling and orchestrating a capable mitigation team.

Progent offers a variety of help services for securing enterprises from ransomware attacks. Among these are staff training to help recognize and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning technology from SentinelOne to discover and extinguish day-zero threats intelligently. Progent in addition can provide the services of veteran crypto-ransomware recovery engineers with the talent and commitment to re-deploy a compromised system as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a crypto-ransomware penetration, paying the ransom demands in cryptocurrency does not guarantee that merciless criminals will return the needed keys to decipher any of your data. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to piece back together the key elements of your Information Technology environment. Without access to full data backups, this calls for a broad range of IT skills, well-coordinated project management, and the willingness to work continuously until the recovery project is done.

For two decades, Progent has made available professional IT services for companies in Lower Manhattan and throughout the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have attained top certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise affords Progent the skills to knowledgably identify critical systems and integrate the remaining pieces of your Information Technology environment after a crypto-ransomware penetration and assemble them into an operational system.

Progent's ransomware group has top notch project management systems to coordinate the sophisticated recovery process. Progent knows the importance of acting swiftly and in unison with a customer's management and IT resources to assign priority to tasks and to get essential systems back on line as soon as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A client engaged Progent after their network was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state cybercriminals, suspected of using technology exposed from America's National Security Agency. Ryuk attacks specific organizations with little or no tolerance for disruption and is among the most profitable incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing company headquartered in Chicago with about 500 workers. The Ryuk attack had frozen all company operations and manufacturing capabilities. The majority of the client's information backups had been online at the start of the attack and were damaged. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but ultimately called Progent.


"I can't say enough about the support Progent gave us during the most stressful time of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent team afforded us. That you could get our e-mail and key servers back into operation in less than seven days was amazing. Each staff member I spoke to or e-mailed at Progent was hell bent on getting our company operational and was working 24/7 to bail us out."

Progent worked hand in hand the client to quickly understand and prioritize the most important systems that had to be addressed in order to restart business operations:

  • Active Directory
  • Email
  • Accounting and Manufacturing Software
To start, Progent adhered to AV/Malware Processes event mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the process of restoring Windows Active Directory, the foundation of enterprise environments built on Microsoft Windows technology. Exchange email will not operate without Windows AD, and the client's accounting and MRP software utilized SQL Server, which depends on Active Directory services for access to the information.

Within two days, Progent was able to restore Windows Active Directory to its pre-intrusion state. Progent then charged ahead with setup and hard drive recovery of mission critical applications. All Exchange schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Off-Line Data Files) on team desktop computers and laptops to recover mail information. A recent off-line backup of the customer's manufacturing systems made it possible to return these required applications back on-line. Although major work remained to recover completely from the Ryuk damage, critical systems were recovered quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer shipments."

Over the next few weeks important milestones in the recovery project were made through close cooperation between Progent engineers and the client:

  • Internal web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million archived emails was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • Most of the user PCs were back into operation.

"Much of what transpired during the initial response is nearly entirely a haze for me, but my management will not soon forget the care all of you accomplished to give us our business back. I have trusted Progent for the past ten years, possibly more, and each time Progent has impressed me and delivered as promised. This time was a life saver."

Conclusion
A likely business-killing catastrophe was averted by dedicated experts, a wide array of knowledge, and tight collaboration. Although in hindsight the ransomware virus penetration described here would have been identified and disabled with current cyber security systems and recognized best practices, staff training, and well designed security procedures for data protection and proper patching controls, the reality is that state-sponsored hackers from China, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of professionals has a proven track record in ransomware virus defense, removal, and information systems restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for allowing me to get rested after we made it past the most critical parts. Everyone did an fabulous effort, and if anyone is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Lower Manhattan a range of online monitoring and security assessment services to assist you to minimize your vulnerability to ransomware. These services incorporate next-generation AI capability to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoints against new malware assaults like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to manage the complete threat lifecycle including protection, detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent accessible from a unified control. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you prove compliance with government and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent attention. Progent's consultants can also help you to install and test a backup and restore solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software companies to produce ProSight Data Protection Services, a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup operations and enable transparent backup and rapid recovery of vital files, applications, system images, and VMs. ProSight DPS lets your business recover from data loss caused by equipment failures, natural calamities, fire, cyber attacks such as ransomware, user error, ill-intentioned insiders, or application glitches. Managed services available in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver centralized management and comprehensive security for your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to offer advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This reduces your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance provides a further layer of inspection for incoming email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Exchange Server to track and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map out, track, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and manages the configuration of almost all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating tedious network management activities, ProSight WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, finding appliances that need critical updates, or isolating performance problems. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your IT system running efficiently by checking the state of critical computers that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your specified IT management personnel and your assigned Progent engineering consultant so any looming problems can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent looking for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based analysis tools to defend endpoint devices as well as servers and VMs against new malware attacks such as ransomware and email phishing, which easily escape legacy signature-based AV tools. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a single platform to manage the complete threat progression including protection, infiltration detection, containment, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Help Center managed services permit your IT team to outsource Call Center services to Progent or divide activity for Help Desk services transparently between your internal support staff and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth extension of your in-house support group. Client access to the Help Desk, provision of technical assistance, problem escalation, ticket creation and tracking, efficiency measurement, and management of the support database are cohesive regardless of whether incidents are taken care of by your corporate IT support staff, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide organizations of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. Besides optimizing the protection and reliability of your IT network, Progent's software/firmware update management services free up time for your IT team to concentrate on line-of-business initiatives and activities that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other personal devices. With 2FA, whenever you sign into a secured application and give your password you are asked to confirm who you are via a unit that only you possess and that uses a separate network channel. A broad selection of out-of-band devices can be used for this added form of ID validation such as a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. For details about Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of real-time reporting plug-ins designed to integrate with the industry's leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-up or endpoints with missing patches. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Lower Manhattan 24x7 Crypto-Ransomware Removal Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.