Ransomware : Your Crippling IT Disaster
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an existential threat for organizations poorly prepared for an attack. Different iterations of ransomware like the Dharma, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been replicating for a long time and continue to inflict havoc. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, along with frequent as yet unnamed malware, not only encrypt online critical data but also infiltrate many configured system backup. Data synchronized to the cloud can also be ransomed. In a vulnerable environment, this can make automated recovery hopeless and basically sets the entire system back to square one.

Getting back online services and data after a crypto-ransomware intrusion becomes a sprint against time as the victim fights to contain the damage and clear the virus and to restore business-critical operations. Because ransomware needs time to spread, attacks are usually launched during nights and weekends, when attacks may take longer to recognize. This compounds the difficulty of quickly mobilizing and coordinating a qualified mitigation team.

Progent makes available an assortment of help services for securing organizations from ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of next-generation security gateways with artificial intelligence capabilities from SentinelOne to detect and extinguish zero-day threats quickly. Progent also provides the services of experienced ransomware recovery engineers with the skills and commitment to rebuild a breached network as urgently as possible.

Progent's Ransomware Restoration Help
Soon after a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that distant criminals will provide the needed keys to unencrypt any of your data. Kaspersky determined that seventeen percent of ransomware victims never restored their files after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The other path is to re-install the essential elements of your IT environment. Absent access to complete system backups, this calls for a wide range of IT skills, well-coordinated project management, and the ability to work continuously until the job is over.

For decades, Progent has provided professional Information Technology services for businesses in Oakland and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of experience affords Progent the ability to quickly ascertain necessary systems and re-organize the surviving components of your Information Technology environment following a crypto-ransomware penetration and assemble them into a functioning system.

Progent's ransomware group utilizes best of breed project management systems to orchestrate the sophisticated restoration process. Progent understands the urgency of acting quickly and in unison with a customer's management and IT staff to prioritize tasks and to get critical services back online as fast as possible.

Business Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A client escalated to Progent after their network was brought down by the Ryuk ransomware. Ryuk is thought to have been deployed by North Korean state sponsored criminal gangs, possibly using technology leaked from America's National Security Agency. Ryuk seeks specific organizations with little or no tolerance for operational disruption and is one of the most profitable versions of crypto-ransomware. High publicized organizations include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturing company headquartered in the Chicago metro area with around 500 employees. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's data backups had been on-line at the start of the intrusion and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and praying for good luck, but ultimately called Progent.


"I can't say enough in regards to the help Progent gave us throughout the most critical time of (our) company's existence. We had little choice but to pay the cyber criminals except for the confidence the Progent group afforded us. That you could get our e-mail and key servers back quicker than 1 week was something I thought impossible. Each staff member I got help from or e-mailed at Progent was laser focused on getting our system up and was working non-stop on our behalf."

Progent worked together with the client to rapidly get our arms around and prioritize the key areas that needed to be restored to make it possible to restart business operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent followed Anti-virus event response industry best practices by halting the spread and performing virus removal steps. Progent then started the process of restoring Active Directory, the core of enterprise environments built on Microsoft Windows technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customer's accounting and MRP applications utilized Microsoft SQL, which requires Windows AD for security authorization to the database.

Within 2 days, Progent was able to recover Active Directory to its pre-intrusion state. Progent then helped perform rebuilding and hard drive recovery on mission critical servers. All Exchange data and attributes were intact, which facilitated the rebuild of Exchange. Progent was able to collect non-encrypted OST files (Outlook Email Off-Line Data Files) on user PCs and laptops to recover mail messages. A recent off-line backup of the customer's financials/MRP systems made them able to return these required programs back servicing users. Although major work needed to be completed to recover totally from the Ryuk damage, essential services were restored quickly:


"For the most part, the production operation never missed a beat and we did not miss any customer orders."

Throughout the next few weeks critical milestones in the recovery project were made in close collaboration between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived messages was brought online and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory modules were completely functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user desktops and notebooks were being used by staff.

"A lot of what happened during the initial response is mostly a fog for me, but my team will not soon forget the commitment all of the team accomplished to give us our business back. I've been working together with Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was a stunning achievement."

Conclusion
A possible business-killing disaster was evaded due to results-oriented professionals, a broad range of subject matter expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware penetration detailed here would have been identified and prevented with modern cyber security solutions and ISO/IEC 27001 best practices, user training, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, remember that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for allowing me to get some sleep after we got over the initial fire. All of you did an impressive effort, and if anyone is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Oakland a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from crypto-ransomware. These services include modern artificial intelligence capability to uncover zero-day variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoint devices against new malware attacks like ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring safeguards on-premises and cloud resources and provides a unified platform to automate the complete malware attack lifecycle including blocking, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering through leading-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can assist your business to plan and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you prove compliance with government and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that require immediate action. Progent's consultants can also assist your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and enable transparent backup and rapid recovery of important files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, human error, ill-intentioned employees, or software glitches. Managed backup services in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security companies to provide web-based control and comprehensive security for all your email traffic. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your vulnerability to external threats and conserves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of inspection for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Exchange Server to monitor and safeguard internal email traffic that stays inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for smaller organizations to map, track, optimize and troubleshoot their connectivity appliances like routers, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, reconfiguring your network, locating appliances that need critical software patches, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating at peak levels by tracking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alert is sent automatically to your specified IT management staff and your Progent engineering consultant so all potential problems can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Because the environment is virtualized, it can be moved easily to a different hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your network documentation, you can eliminate as much as half of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior analysis tools to defend endpoints as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily get by legacy signature-based AV tools. Progent ASM services safeguard local and cloud-based resources and provides a unified platform to address the complete malware attack lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Help Desk Managed Services
    Progent's Call Desk managed services permit your information technology team to outsource Help Desk services to Progent or divide responsibilities for Help Desk services transparently between your internal support staff and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless supplement to your in-house IT support group. Client access to the Service Desk, provision of support, issue escalation, ticket generation and tracking, performance measurement, and management of the support database are cohesive whether issues are resolved by your core support group, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your computer network, Progent's software/firmware update management services allow your IT team to concentrate on more strategic projects and activities that derive maximum business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Android, and other personal devices. Using Duo 2FA, when you sign into a protected online account and give your password you are requested to confirm your identity via a device that only you possess and that uses a different network channel. A wide range of devices can be used for this second means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. To find out more about Duo two-factor identity validation services, visit Duo MFA two-factor authentication services.
For Oakland 24x7 Crypto Recovery Consultants, call Progent at 800-462-8800 or go to Contact Progent.