Ransomware : Your Feared Information Technology Catastrophe
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that presents an extinction-level danger for businesses vulnerable to an assault. Different versions of crypto-ransomware such as Reveton, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict damage. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with daily unnamed viruses, not only do encryption of online data files but also infect any configured system protection. Files synchronized to cloud environments can also be rendered useless. In a poorly architected system, this can make any restore operations useless and basically sets the datacenter back to zero.

Getting back applications and information after a ransomware intrusion becomes a race against the clock as the targeted business fights to stop lateral movement and eradicate the ransomware and to restore mission-critical activity. Since ransomware requires time to spread, attacks are frequently sprung at night, when successful attacks in many cases take longer to recognize. This multiplies the difficulty of quickly assembling and coordinating an experienced response team.

Progent makes available a range of solutions for securing enterprises from crypto-ransomware penetrations. Among these are team training to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security appliances with artificial intelligence technology from SentinelOne to detect and disable day-zero cyber attacks intelligently. Progent also can provide the assistance of veteran ransomware recovery consultants with the track record and perseverance to rebuild a compromised network as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
After a crypto-ransomware penetration, paying the ransom demands in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed codes to unencrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their files after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the usual ransomware demands, which ZDNET determined to be in the range of $13,000. The fallback is to piece back together the vital parts of your Information Technology environment. Without the availability of essential system backups, this calls for a wide complement of IT skills, well-coordinated team management, and the capability to work non-stop until the task is complete.

For twenty years, Progent has made available expert IT services for companies in Joinville and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in foundation technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security experts have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has experience in accounting and ERP software solutions. This breadth of expertise affords Progent the skills to efficiently identify critical systems and re-organize the surviving parts of your IT system after a crypto-ransomware event and configure them into an operational network.

Progent's security group has best of breed project management tools to orchestrate the complicated restoration process. Progent understands the urgency of acting swiftly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get critical services back on-line as soon as possible.

Customer Story: A Successful Ransomware Attack Restoration
A business sought out Progent after their company was attacked by the Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state cybercriminals, suspected of using algorithms exposed from the U.S. NSA organization. Ryuk attacks specific companies with little or no ability to sustain disruption and is among the most profitable instances of crypto-ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing company based in the Chicago metro area and has around 500 workers. The Ryuk intrusion had brought down all business operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client considered paying the ransom demand (exceeding $200K) and praying for good luck, but in the end made the decision to use Progent.


"I can't say enough about the expertise Progent provided us throughout the most stressful period of (our) company's survival. We would have paid the criminal gangs if not for the confidence the Progent team provided us. The fact that you could get our e-mail and critical servers back into operation in less than one week was incredible. Every single consultant I interacted with or texted at Progent was hell bent on getting my company operational and was working day and night on our behalf."

Progent worked together with the customer to quickly understand and assign priority to the most important services that needed to be recovered to make it possible to continue departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent followed Anti-virus event response best practices by halting lateral movement and clearing up compromised systems. Progent then began the steps of restoring Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without Windows AD, and the client's accounting and MRP applications used Microsoft SQL, which requires Active Directory services for security authorization to the database.

Within 48 hours, Progent was able to restore Active Directory services to its pre-attack state. Progent then performed rebuilding and hard drive recovery of needed systems. All Microsoft Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was also able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on user desktop computers and laptops in order to recover mail data. A recent off-line backup of the businesses accounting/ERP software made them able to return these required applications back servicing users. Although a large amount of work remained to recover fully from the Ryuk damage, critical systems were restored quickly:


"For the most part, the production line operation did not miss a beat and we did not miss any customer sales."

During the next couple of weeks important milestones in the restoration process were accomplished in tight collaboration between Progent engineers and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Exchange Server exceeding 4 million historical messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory capabilities were 100% functional.
  • A new Palo Alto 850 firewall was brought online.
  • Ninety percent of the desktop computers were operational.

"So much of what occurred in the early hours is nearly entirely a haze for me, but our team will not forget the countless hours each of the team put in to help get our business back. I have utilized Progent for the past ten years, maybe more, and each time I needed help Progent has shined and delivered. This time was no exception but maybe more Herculean."

Conclusion
A potential business extinction disaster was averted through the efforts of top-tier professionals, a broad range of technical expertise, and close teamwork. Although in retrospect the ransomware attack described here could have been identified and blocked with modern security systems and security best practices, user and IT administrator education, and well thought out security procedures for information backup and applying software patches, the reality is that state-sponsored cyber criminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has extensive experience in ransomware virus blocking, remediation, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we got over the initial fire. Everyone did an incredible effort, and if any of your guys is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Joinville a variety of remote monitoring and security assessment services designed to help you to reduce your vulnerability to crypto-ransomware. These services incorporate next-generation artificial intelligence capability to detect zero-day strains of ransomware that are able to evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including blocking, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer ultra-affordable in-depth security for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP delivers firewall protection, penetration alerts, device management, and web filtering through leading-edge tools packaged within a single agent accessible from a unified console. Progent's data protection and virtualization experts can assist you to design and implement a ProSight ESP deployment that addresses your company's unique needs and that helps you achieve and demonstrate compliance with legal and industry data protection standards. Progent will assist you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate attention. Progent's consultants can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup technology companies to produce ProSight Data Protection Services, a family of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your backup processes and allow non-disruptive backup and fast recovery of important files/folders, apps, system images, and virtual machines. ProSight DPS helps your business avoid data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or software bugs. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top data security vendors to deliver centralized management and world-class protection for all your email traffic. The hybrid architecture of Email Guard managed service combines a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to inbound threats and saves system bandwidth and storage. Email Guard's onsite security gateway device adds a deeper layer of inspection for incoming email. For outbound email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to map, track, enhance and debug their networking appliances such as routers, firewalls, and load balancers as well as servers, client computers and other devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration of virtually all devices on your network, monitors performance, and sends notices when issues are discovered. By automating complex management and troubleshooting activities, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, locating appliances that need critical updates, or isolating performance bottlenecks. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management (RMM) technology to keep your network operating efficiently by checking the state of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your designated IT management personnel and your Progent consultant so that all potential problems can be resolved before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hardware environment without requiring a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect information about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or serial numbers and be alerted about upcoming expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can save up to half of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents required for managing your network infrastructure such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior-based machine learning technology to guard endpoint devices as well as servers and VMs against new malware attacks such as ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to manage the complete threat progression including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Support Center managed services permit your IT staff to offload Help Desk services to Progent or divide responsibilities for support services seamlessly between your in-house support group and Progent's nationwide pool of certified IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a seamless supplement to your core network support staff. End user access to the Service Desk, provision of support, escalation, trouble ticket generation and updates, performance metrics, and maintenance of the support database are consistent regardless of whether issues are resolved by your in-house support organization, by Progent, or by a combination. Find out more about Progent's outsourced/shared Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a flexible and affordable alternative for assessing, validating, scheduling, applying, and documenting updates to your dynamic IT system. Besides maximizing the protection and reliability of your computer environment, Progent's patch management services allow your in-house IT team to concentrate on line-of-business projects and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Google Android, and other out-of-band devices. Using 2FA, when you sign into a secured application and enter your password you are asked to confirm your identity on a device that only you have and that uses a different network channel. A wide selection of devices can be used for this added means of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You can designate multiple verification devices. To find out more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time and in-depth reporting tools created to integrate with the leading ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize critical issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Joinville 24-7 Crypto-Ransomware Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.