Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyberplague that represents an existential danger for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware such as CrySIS, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still cause harm. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus more as yet unnamed malware, not only encrypt online data but also infect most configured system backups. Information synched to off-site disaster recovery sites can also be encrypted. In a poorly architected environment, this can make automatic restore operations impossible and basically sets the datacenter back to zero.

Getting back online services and information after a ransomware intrusion becomes a race against the clock as the targeted organization struggles to contain the damage and clear the ransomware and to restore business-critical activity. Since crypto-ransomware requires time to move laterally, penetrations are usually launched on weekends and holidays, when attacks in many cases take longer to discover. This compounds the difficulty of rapidly mobilizing and organizing an experienced mitigation team.

Progent offers a variety of support services for protecting organizations from ransomware attacks. These include staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security solutions with machine learning capabilities from SentinelOne to detect and quarantine new cyber attacks rapidly. Progent also can provide the assistance of seasoned ransomware recovery professionals with the track record and perseverance to rebuild a breached network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Support Services
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to unencrypt all your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be around $13,000. The other path is to re-install the essential parts of your IT environment. Absent access to full system backups, this calls for a wide complement of skill sets, top notch team management, and the capability to work continuously until the task is finished.

For decades, Progent has offered expert IT services for companies in Oakland and across the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have earned internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of expertise affords Progent the ability to quickly ascertain necessary systems and consolidate the remaining pieces of your computer network system after a ransomware penetration and assemble them into a functioning network.

Progent's recovery group deploys state-of-the-art project management tools to orchestrate the complex recovery process. Progent understands the importance of acting quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to get the most important systems back online as soon as possible.

Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A small business contacted Progent after their network was crashed by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored hackers, possibly using technology exposed from the U.S. NSA organization. Ryuk targets specific companies with little or no tolerance for operational disruption and is among the most profitable incarnations of ransomware malware. High publicized organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk event had brought down all business operations and manufacturing processes. Most of the client's backups had been on-line at the time of the intrusion and were damaged. The client was evaluating paying the ransom (more than $200K) and hoping for the best, but ultimately engaged Progent.


"I can't thank you enough in regards to the care Progent gave us during the most critical time of (our) company's existence. We would have paid the criminal gangs except for the confidence the Progent group afforded us. The fact that you were able to get our e-mail system and critical applications back in less than one week was something I thought impossible. Every single expert I interacted with or messaged at Progent was totally committed on getting our company operational and was working 24/7 on our behalf."

Progent worked hand in hand the customer to quickly assess and assign priority to the most important elements that had to be recovered to make it possible to continue business functions:

  • Active Directory (AD)
  • Email
  • MRP System
To begin, Progent adhered to AV/Malware Processes event response industry best practices by stopping the spread and clearing up compromised systems. Progent then started the process of rebuilding Windows Active Directory, the heart of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not operate without Active Directory, and the businesses' MRP software utilized Microsoft SQL Server, which needs Active Directory services for authentication to the data.

In less than 2 days, Progent was able to restore Active Directory to its pre-attack state. Progent then completed rebuilding and storage recovery on critical applications. All Exchange ties and attributes were intact, which facilitated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Email Off-Line Folder Files) on various PCs and laptops in order to recover mail information. A recent off-line backup of the customer's accounting/MRP systems made it possible to restore these essential applications back online. Although a large amount of work remained to recover totally from the Ryuk attack, essential systems were restored quickly:


"For the most part, the production manufacturing operation showed little impact and we delivered all customer shipments."

During the next month critical milestones in the restoration project were achieved through tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Exchange Server exceeding four million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/AR/Inventory functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user workstations were being used by staff.

"A lot of what transpired those first few days is nearly entirely a fog for me, but I will not forget the care all of you put in to give us our company back. I've trusted Progent for the past ten years, possibly more, and every time Progent has shined and delivered. This situation was a life saver."

Conclusion
A probable business extinction disaster was dodged due to dedicated experts, a wide range of technical expertise, and tight teamwork. Although in hindsight the ransomware virus penetration detailed here could have been blocked with modern security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out security procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has extensive experience in ransomware virus defense, cleanup, and information systems restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), thanks very much for allowing me to get rested after we made it past the most critical parts. Everyone did an amazing effort, and if any of your team is in the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Oakland a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to uncover zero-day strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior machine learning tools to defend physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely escape legacy signature-matching AV products. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the complete malware attack progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge tools packaged within a single agent accessible from a unified console. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that helps you prove compliance with government and industry data security standards. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services, a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your data backup operations and enable transparent backup and fast restoration of vital files/folders, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment failures, natural calamities, fire, malware like ransomware, human error, ill-intentioned insiders, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to deliver web-based management and world-class protection for your inbound and outbound email. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway appliance to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to map out, monitor, enhance and troubleshoot their networking hardware such as routers, firewalls, and load balancers as well as servers, printers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network diagrams are always updated, copies and displays the configuration of almost all devices on your network, tracks performance, and sends notices when problems are discovered. By automating complex network management processes, WAN Watch can knock hours off ordinary tasks such as making network diagrams, expanding your network, finding appliances that require important software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running efficiently by checking the health of critical assets that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management staff and your Progent consultant so any potential issues can be resolved before they can impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be ported immediately to an alternate hardware solution without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and protect information related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to half of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're planning improvements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates cutting edge behavior-based analysis tools to guard endpoints as well as physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to address the entire threat lifecycle including protection, detection, containment, remediation, and post-attack forensics. Top features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Call Center services permit your information technology team to outsource Support Desk services to Progent or split responsibilities for Help Desk services seamlessly between your in-house network support staff and Progent's extensive roster of IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless extension of your internal support resources. Client interaction with the Service Desk, provision of technical assistance, escalation, trouble ticket generation and tracking, efficiency measurement, and management of the service database are consistent regardless of whether issues are taken care of by your corporate IT support organization, by Progent, or by a combination. Find out more about Progent's outsourced/shared Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting updates to your dynamic IT network. In addition to optimizing the security and functionality of your IT environment, Progent's patch management services allow your in-house IT staff to focus on more strategic projects and tasks that deliver maximum business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. With Duo 2FA, when you sign into a secured online account and enter your password you are requested to verify your identity via a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be utilized for this added means of authentication such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate multiple validation devices. For details about Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of in-depth management reporting tools created to integrate with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize key issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Oakland CryptoLocker Remediation Support Services, contact Progent at 800-462-8800 or go to Contact Progent.