Ransomware : Your Worst Information Technology Disaster
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that presents an extinction-level threat for organizations vulnerable to an assault. Multiple generations of crypto-ransomware such as Dharma, Fusob, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for years and continue to inflict damage. Newer versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus daily unnamed viruses, not only do encryption of online files but also infect any configured system backups. Files synchronized to cloud environments can also be encrypted. In a vulnerable data protection solution, this can make automatic recovery hopeless and basically knocks the datacenter back to square one.

Recovering applications and data after a crypto-ransomware event becomes a race against time as the targeted business struggles to contain the damage, clear the ransomware, and restore business-critical activity. Because crypto-ransomware requires time to spread, assaults are frequently sprung during weekends and nights, when successful penetrations may take more time to detect. This compounds the difficulty of rapidly mobilizing and organizing a capable response team.

Progent offers a range of services for securing businesses from crypto-ransomware attacks. These include user education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of next-generation security solutions with artificial intelligence capabilities from SentinelOne to identify and disable zero-day threats quickly. Progent also can provide the assistance of veteran crypto-ransomware recovery professionals with the track record and commitment to rebuild a compromised system as urgently as possible.

Progent's Crypto-Ransomware Recovery Services
Subsequent to a ransomware penetration, even paying the ransom demands in cryptocurrency does not provide any assurance that cyber criminals will provide the needed keys to decrypt any or all of your data. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger organizations, the ransom can reach millions of dollars. The other path is to piece back together the vital components of your Information Technology environment. Without access to complete information backups, this requires a broad range of IT skills, top notch team management, and the willingness to work 24x7 until the task is over.

For decades, Progent has offered professional IT services for companies across the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in key technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent in addition has expertise with accounting and ERP applications. This breadth of experience gives Progent the skills to efficiently identify necessary systems and organize the remaining parts of your computer network system after a ransomware penetration and rebuild them into a functioning network.

Progent's security team utilizes powerful project management applications to coordinate the sophisticated recovery process. Progent knows the importance of acting rapidly and together with a client's management and IT team members to prioritize tasks and to get critical services back on-line as soon as humanly possible.

Customer Story: A Successful Ransomware Virus Recovery
A client escalated to Progent after their network system was attacked by Ryuk ransomware virus. Ryuk is believed to have been launched by Northern Korean government sponsored hackers, possibly using approaches exposed from America's NSA organization. Ryuk targets specific businesses with limited room for operational disruption and is among the most profitable examples of crypto-ransomware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago with around 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the beginning of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately engaged Progent.


"I can't tell you enough about the support Progent gave us during the most fearful period of (our) company's life. We may have had to pay the hackers behind this attack if not for the confidence the Progent group provided us. That you were able to get our e-mail and important servers back online faster than 1 week was incredible. Each staff member I talked with or messaged at Progent was amazingly focused on getting our company operational and was working day and night on our behalf."

Progent worked hand in hand the customer to quickly determine and prioritize the key elements that had to be restored to make it possible to continue departmental functions:

  • Active Directory
  • Exchange Server
  • Financials/MRP
To get going, Progent followed AV/Malware Processes penetration response best practices by stopping the spread and clearing up compromised systems. Progent then began the process of rebuilding Windows Active Directory, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange email will not function without Windows AD, and the businesses' MRP applications leveraged Microsoft SQL, which depends on Active Directory for security authorization to the data.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then assisted with reinstallations and hard drive recovery on needed servers. All Microsoft Exchange Server data and configuration information were usable, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Folder Files) on staff PCs in order to recover mail information. A recent off-line backup of the businesses financials/ERP systems made it possible to recover these essential services back available to users. Although major work remained to recover fully from the Ryuk event, core systems were returned to operations rapidly:


"For the most part, the manufacturing operation ran fairly normal throughout and we made all customer sales."

Over the next few weeks critical milestones in the restoration project were made through tight collaboration between Progent team members and the client:

  • Internal web applications were restored with no loss of data.
  • The MailStore Server with over 4 million historical messages was brought online and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory functions were fully functional.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the user desktops and notebooks were being used by staff.

"A lot of what was accomplished in the initial days is nearly entirely a blur for me, but my management will not soon forget the commitment all of the team accomplished to give us our business back. I've been working together with Progent for at least 10 years, maybe more, and every time Progent has come through and delivered as promised. This event was a testament to your capabilities."

Conclusion
A likely enterprise-killing catastrophe was averted through the efforts of results-oriented experts, a wide array of subject matter expertise, and tight collaboration. Although in post mortem the crypto-ransomware incident described here could have been prevented with modern cyber security solutions and security best practices, team education, and well thought out security procedures for backup and applying software patches, the reality remains that government-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus defense, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we got over the initial push. All of you did an fabulous effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer case study, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers companies in Lower Manhattan a range of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include modern machine learning capability to detect new strains of crypto-ransomware that can evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver affordable in-depth security for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and reacting to security threats from all attack vectors. ProSight ESP provides firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your organization's specific needs and that helps you prove compliance with legal and industry information security regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent attention. Progent can also help you to set up and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and track your backup processes and allow non-disruptive backup and rapid recovery of vital files/folders, applications, system images, plus virtual machines. ProSight DPS helps your business recover from data loss caused by equipment failures, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or software bugs. Managed services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the technology of leading data security companies to deliver centralized control and world-class protection for all your email traffic. The hybrid structure of Email Guard integrates cloud-based filtering with a local gateway device to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. Email Guard's cloud filter acts as a preliminary barricade and keeps most threats from making it to your security perimeter. This decreases your exposure to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The local gateway can also assist Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your corporate firewall. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, track, reconfigure and troubleshoot their networking hardware like switches, firewalls, and load balancers plus servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network maps are always current, copies and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when potential issues are discovered. By automating time-consuming management and troubleshooting processes, WAN Watch can cut hours off common chores such as making network diagrams, expanding your network, locating devices that need critical updates, or isolating performance problems. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management technology to keep your IT system operating at peak levels by tracking the health of critical assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is sent immediately to your designated IT staff and your Progent consultant so that all potential problems can be addressed before they can impact your network. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected Tier III data center on a high-performance virtual host set up and managed by Progent's IT support experts. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and protect data about your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate as much as half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and collaborating on all documents required for managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning tools to defend endpoint devices and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-based AV products. Progent Active Security Monitoring services protect on-premises and cloud resources and offers a single platform to address the entire malware attack progression including filtering, identification, mitigation, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Call Center services permit your IT staff to offload Support Desk services to Progent or split responsibilities for Help Desk services transparently between your internal network support group and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth supplement to your corporate support resources. End user interaction with the Service Desk, provision of support, escalation, trouble ticket creation and tracking, efficiency measurement, and maintenance of the support database are consistent regardless of whether incidents are resolved by your internal support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Service Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of any size a flexible and affordable solution for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. In addition to optimizing the security and functionality of your IT network, Progent's patch management services free up time for your IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports one-tap identity verification on iOS, Google Android, and other personal devices. Using Duo 2FA, when you log into a protected online account and give your password you are requested to verify who you are via a device that only you have and that uses a separate network channel. A wide range of devices can be utilized for this second means of ID validation such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You can register multiple verification devices. To find out more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time management reporting tools designed to work with the industry's top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues such as inconsistent support follow-up or endpoints with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For Lower Manhattan 24/7 Ransomware Remediation Support Services, call Progent at 800-462-8800 or go to Contact Progent.