Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an enterprise-level danger for businesses of all sizes vulnerable to an assault. Versions of crypto-ransomware such as CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict damage. Recent strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus more as yet unnamed newcomers, not only do encryption of online data but also infiltrate any configured system protection. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can make automatic restore operations useless and basically knocks the datacenter back to square one.

Retrieving applications and data following a ransomware event becomes a race against time as the victim fights to stop the spread and cleanup the ransomware and to restore mission-critical activity. Due to the fact that ransomware needs time to move laterally, assaults are often launched during nights and weekends, when penetrations in many cases take more time to recognize. This compounds the difficulty of rapidly assembling and orchestrating a qualified response team.

Progent provides a range of solutions for securing businesses from crypto-ransomware events. Among these are team member education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to deployment of modern security solutions with artificial intelligence technology from SentinelOne to discover and extinguish zero-day threats rapidly. Progent also can provide the services of expert ransomware recovery professionals with the talent and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will provide the needed codes to unencrypt any or all of your files. Kaspersky determined that seventeen percent of ransomware victims never recovered their data after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to piece back together the vital elements of your Information Technology environment. Without access to complete system backups, this calls for a broad complement of skills, top notch project management, and the willingness to work non-stop until the recovery project is finished.

For decades, Progent has offered certified expert Information Technology services for companies in San Antonio and across the US and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded high-level industry certifications in foundation technologies like Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity experts have earned internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial systems and ERP application software. This breadth of experience provides Progent the skills to quickly ascertain necessary systems and consolidate the remaining pieces of your Information Technology system after a ransomware attack and assemble them into a functioning system.

Progent's recovery group deploys state-of-the-art project management systems to coordinate the sophisticated recovery process. Progent knows the urgency of working rapidly and in concert with a client's management and IT team members to assign priority to tasks and to put essential systems back on-line as fast as possible.

Client Story: A Successful Ransomware Incident Restoration
A customer hired Progent after their network was brought down by Ryuk ransomware virus. Ryuk is generally considered to have been deployed by Northern Korean state sponsored criminal gangs, possibly adopting algorithms exposed from America's NSA organization. Ryuk goes after specific companies with little or no tolerance for disruption and is one of the most lucrative iterations of ransomware viruses. Headline victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has around 500 workers. The Ryuk attack had disabled all company operations and manufacturing capabilities. The majority of the client's data protection had been on-line at the time of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (in excess of two hundred thousand dollars) and praying for good luck, but ultimately brought in Progent.


"I can't tell you enough about the expertise Progent gave us during the most fearful period of (our) businesses life. We most likely would have paid the hackers behind this attack except for the confidence the Progent group afforded us. That you were able to get our e-mail and essential applications back into operation quicker than one week was beyond my wildest dreams. Each expert I got help from or messaged at Progent was laser focused on getting our company operational and was working breakneck pace to bail us out."

Progent worked together with the client to quickly assess and assign priority to the critical elements that had to be addressed in order to continue company operations:

  • Active Directory
  • Microsoft Exchange Email
  • MRP System
To get going, Progent followed AV/Malware Processes incident response best practices by isolating and clearing up compromised systems. Progent then initiated the steps of bringing back online Microsoft Active Directory, the heart of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the client's MRP software leveraged SQL Server, which needs Active Directory for access to the databases.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then helped perform reinstallations and storage recovery on the most important systems. All Exchange data and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to find intact OST files (Outlook Email Offline Folder Files) on team PCs and laptops to recover email messages. A recent off-line backup of the businesses accounting software made it possible to recover these vital services back online. Although major work still had to be done to recover totally from the Ryuk event, essential systems were recovered quickly:


"For the most part, the manufacturing operation did not miss a beat and we did not miss any customer orders."

Throughout the following few weeks important milestones in the restoration project were achieved in tight cooperation between Progent consultants and the customer:

  • In-house web applications were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over four million archived emails was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control functions were 100% operational.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the user desktops and notebooks were operational.

"So much of what transpired during the initial response is nearly entirely a fog for me, but my management will not forget the countless hours all of your team put in to help get our business back. I've utilized Progent for the past 10 years, maybe more, and each time Progent has shined and delivered as promised. This event was a stunning achievement."

Conclusion
A possible business catastrophe was evaded with dedicated professionals, a broad spectrum of technical expertise, and tight collaboration. Although in retrospect the ransomware virus incident detailed here would have been prevented with advanced cyber security technology and ISO/IEC 27001 best practices, user training, and well designed security procedures for data protection and keeping systems up to date with security patches, the fact remains that state-sponsored criminal cyber gangs from Russia, China and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware attack, remember that Progent's team of professionals has extensive experience in ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were helping), thanks very much for letting me get rested after we got through the initial fire. All of you did an incredible job, and if any of your guys is in the Chicago area, dinner is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in San Antonio a portfolio of remote monitoring and security assessment services to assist you to reduce the threat from crypto-ransomware. These services utilize modern artificial intelligence capability to uncover zero-day variants of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily escape legacy signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the complete threat lifecycle including blocking, infiltration detection, mitigation, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical and virtual servers, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, device management, and web filtering via cutting-edge tools incorporated within one agent managed from a unified console. Progent's security and virtualization experts can assist your business to plan and configure a ProSight ESP environment that meets your company's unique needs and that helps you demonstrate compliance with government and industry information security regulations. Progent will help you define and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also help your company to install and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with advanced backup software companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow transparent backup and fast recovery of critical files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS lets you protect against data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, user mistakes, malicious employees, or application bugs. Managed backup services in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these fully managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security vendors to provide centralized management and comprehensive protection for all your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates cloud-based filtering with an on-premises gateway appliance to offer complete protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter acts as a first line of defense and keeps the vast majority of unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further layer of analysis for incoming email. For outgoing email, the on-premises security gateway provides AV and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends inside your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to map, monitor, optimize and debug their networking hardware such as switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are always current, captures and displays the configuration information of almost all devices connected to your network, tracks performance, and generates alerts when potential issues are detected. By automating tedious management activities, ProSight WAN Watch can cut hours off common tasks like network mapping, expanding your network, finding appliances that require important updates, or isolating performance bottlenecks. Find out more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the state of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management staff and your assigned Progent engineering consultant so that any potential issues can be resolved before they can disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect data about your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as 50% of time wasted looking for vital information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based analysis technology to guard endpoints and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. Progent ASM services safeguard local and cloud-based resources and offers a single platform to address the complete threat lifecycle including blocking, infiltration detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Help Desk: Support Desk Managed Services
    Progent's Call Center services permit your information technology team to offload Help Desk services to Progent or split responsibilities for support services seamlessly between your internal support staff and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a seamless supplement to your corporate network support staff. End user access to the Help Desk, provision of technical assistance, problem escalation, ticket generation and tracking, performance metrics, and maintenance of the support database are cohesive whether incidents are resolved by your corporate support organization, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Help Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your ever-evolving IT network. Besides maximizing the security and functionality of your computer network, Progent's patch management services allow your IT staff to focus on more strategic initiatives and tasks that deliver maximum business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification with Apple iOS, Android, and other personal devices. With 2FA, when you sign into a secured online account and give your password you are requested to confirm your identity on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be utilized for this added form of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can designate multiple verification devices. To find out more about Duo identity validation services, visit Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of real-time and in-depth management reporting tools created to integrate with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24/7 San Antonio Crypto-Ransomware Repair Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.