Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ExpertsCrypto-Ransomware has become a modern cyberplague that poses an enterprise-level danger for businesses poorly prepared for an attack. Multiple generations of ransomware like the Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been running rampant for a long time and continue to cause damage. More recent versions of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, plus frequent as yet unnamed viruses, not only encrypt online data files but also infiltrate any available system backups. Information synched to cloud environments can also be rendered useless. In a poorly designed data protection solution, it can render automatic recovery useless and effectively sets the network back to zero.

Getting back on-line applications and data following a ransomware event becomes a race against time as the targeted business tries its best to contain and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware takes time to replicate, assaults are often sprung at night, when successful attacks typically take more time to detect. This compounds the difficulty of quickly assembling and orchestrating a knowledgeable mitigation team.

Progent provides an assortment of solutions for protecting enterprises from ransomware penetrations. Among these are user training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of the latest generation security gateways with AI technology from SentinelOne to detect and disable new cyber attacks rapidly. Progent in addition can provide the services of experienced ransomware recovery professionals with the track record and commitment to restore a compromised network as soon as possible.

Progent's Ransomware Restoration Help
Subsequent to a ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed codes to unencrypt any of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The other path is to piece back together the mission-critical components of your IT environment. Without access to full data backups, this calls for a broad complement of IT skills, well-coordinated team management, and the willingness to work 24x7 until the recovery project is over.

For two decades, Progent has offered expert Information Technology services for businesses in Joinville and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have been awarded high-level certifications in important technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial systems and ERP applications. This breadth of expertise affords Progent the capability to quickly understand necessary systems and integrate the surviving pieces of your network environment following a ransomware event and assemble them into an operational system.

Progent's security group uses top notch project management systems to orchestrate the sophisticated recovery process. Progent knows the importance of acting rapidly and in concert with a customer�s management and Information Technology team members to assign priority to tasks and to put the most important applications back on-line as fast as humanly possible.

Customer Story: A Successful Ransomware Intrusion Restoration
A small business hired Progent after their network was taken over by Ryuk ransomware. Ryuk is believed to have been created by Northern Korean government sponsored cybercriminals, possibly adopting algorithms exposed from the United States National Security Agency. Ryuk seeks specific companies with little tolerance for disruption and is among the most lucrative examples of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in Chicago and has about 500 staff members. The Ryuk event had disabled all company operations and manufacturing capabilities. Most of the client's backups had been online at the start of the attack and were destroyed. The client considered paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately engaged Progent.


"I cannot tell you enough in regards to the help Progent provided us during the most critical period of (our) company�s existence. We had little choice but to pay the hackers behind this attack if it wasn�t for the confidence the Progent group gave us. That you were able to get our e-mail system and essential applications back on-line quicker than seven days was amazing. Every single expert I interacted with or texted at Progent was absolutely committed on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the client to quickly assess and prioritize the essential services that needed to be restored to make it possible to restart departmental operations:

  • Windows Active Directory
  • Electronic Mail
  • MRP System
To start, Progent adhered to Anti-virus event response industry best practices by stopping the spread and clearing up compromised systems. Progent then began the steps of restoring Active Directory, the core of enterprise networks built upon Microsoft Windows technology. Exchange email will not operate without Active Directory, and the businesses� financials and MRP applications used Microsoft SQL, which requires Windows AD for security authorization to the data.

In less than 2 days, Progent was able to recover Active Directory services to its pre-virus state. Progent then helped perform setup and storage recovery of key systems. All Microsoft Exchange Server data and attributes were usable, which facilitated the restore of Exchange. Progent was able to collect local OST data files (Outlook Email Off-Line Data Files) on staff workstations and laptops to recover email data. A recent off-line backup of the businesses financials/ERP software made them able to restore these essential services back online for users. Although a lot of work was left to recover completely from the Ryuk virus, core systems were returned to operations quickly:


"For the most part, the manufacturing operation was never shut down and we made all customer deliverables."

Throughout the next couple of weeks key milestones in the restoration process were achieved through tight collaboration between Progent engineers and the customer:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Exchange Server with over 4 million archived emails was brought online and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto 850 firewall was set up.
  • Ninety percent of the user PCs were back into operation.

"Much of what happened during the initial response is mostly a fog for me, but I will not soon forget the care each and every one of your team accomplished to give us our business back. I have been working with Progent for the past 10 years, possibly more, and each time I needed help Progent has shined and delivered as promised. This event was a Herculean accomplishment."

Conclusion
A potential business-killing catastrophe was evaded with hard-working professionals, a broad array of IT skills, and tight collaboration. Although in analyzing the event afterwards the ransomware incident described here should have been shut down with advanced security solutions and best practices, user education, and properly executed security procedures for backup and proper patching controls, the fact is that state-sponsored criminal cyber gangs from China, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of experts has extensive experience in crypto-ransomware virus blocking, removal, and information systems disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thanks very much for letting me get some sleep after we made it through the initial fire. All of you did an fabulous job, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Joinville a portfolio of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include modern AI capability to detect new strains of crypto-ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior machine learning technology to defend physical and virtual endpoint devices against modern malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services offer economical in-depth protection for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's security and virtualization consultants can help you to design and implement a ProSight ESP environment that addresses your company's specific requirements and that helps you demonstrate compliance with legal and industry information security standards. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require immediate action. Progent's consultants can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and allow transparent backup and fast recovery of critical files, applications, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss caused by equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS product family include ProSight Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of top information security vendors to deliver web-based control and world-class security for all your inbound and outbound email. The hybrid structure of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-borne threats. The Cloud Protection Layer serves as a first line of defense and blocks the vast majority of unwanted email from reaching your network firewall. This decreases your exposure to external attacks and conserves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a further level of inspection for inbound email. For outbound email, the local gateway offers AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email traffic that stays inside your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, monitor, reconfigure and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management activities, WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding appliances that need critical updates, or identifying the cause of performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is sent automatically to your designated IT management staff and your Progent consultant so that any potential issues can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect information related to your network infrastructure, processes, business apps, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can save up to half of time thrown away looking for vital information about your network. ProSight IT Asset Management includes a centralized location for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youre planning improvements, doing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis tools to guard endpoints and physical and virtual servers against new malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. Progent ASM services protect local and cloud resources and provides a unified platform to manage the entire threat lifecycle including protection, detection, mitigation, remediation, and forensics. Top capabilities include single-click rollback using Windows VSS and real-time system-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Desk: Call Center Managed Services
    Progent's Support Center services enable your information technology group to outsource Call Center services to Progent or divide responsibilities for Service Desk support transparently between your in-house network support team and Progent's nationwide roster of certified IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth extension of your in-house support organization. User access to the Service Desk, delivery of technical assistance, escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are cohesive whether incidents are resolved by your in-house support organization, by Progent, or by a combination. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT system. Besides maximizing the security and reliability of your computer environment, Progent's patch management services allow your in-house IT team to focus on line-of-business initiatives and activities that derive the highest business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication. Duo enables one-tap identity confirmation with iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected online account and give your password you are asked to confirm who you are via a device that only you have and that uses a different network channel. A wide selection of out-of-band devices can be used for this second form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register multiple validation devices. For more information about ProSight Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 Joinville CryptoLocker Recovery Services, contact Progent at 800-462-8800 or go to Contact Progent.