Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an extinction-level danger for businesses poorly prepared for an attack. Multiple generations of crypto-ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause havoc. The latest strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily unnamed newcomers, not only do encryption of online information but also infect most configured system backup. Information synchronized to cloud environments can also be corrupted. In a poorly architected environment, it can make automated restoration hopeless and effectively knocks the datacenter back to zero.

Restoring programs and information following a ransomware event becomes a race against time as the targeted business tries its best to stop the spread, cleanup the crypto-ransomware, and resume business-critical activity. Due to the fact that ransomware takes time to spread, penetrations are usually sprung on weekends and holidays, when attacks are likely to take longer to identify. This compounds the difficulty of quickly mobilizing and organizing a knowledgeable response team.

Progent provides a variety of services for protecting organizations from crypto-ransomware attacks. Among these are staff training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence technology from SentinelOne to detect and extinguish zero-day cyber threats intelligently. Progent also provides the services of veteran crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a compromised network as urgently as possible.

Progent's Ransomware Recovery Support Services
Soon after a crypto-ransomware attack, even paying the ransom in cryptocurrency does not provide any assurance that merciless criminals will provide the codes to unencrypt any or all of your information. Kaspersky estimated that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in additional losses. The risk is also costly. Ryuk ransoms are commonly a few hundred thousand dollars. For larger enterprises, the ransom can reach millions of dollars. The fallback is to piece back together the mission-critical elements of your Information Technology environment. Without access to full information backups, this calls for a broad complement of IT skills, well-coordinated team management, and the ability to work non-stop until the task is over.

For two decades, Progent has provided professional IT services for companies across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have attained top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-recognized certifications including CISA, CISSP, ISACA CRISC, GIAC, and CMMC 2.0. (See Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of expertise provides Progent the capability to efficiently understand necessary systems and re-organize the remaining pieces of your IT system after a ransomware event and rebuild them into an operational system.

Progent's recovery team has top notch project management applications to coordinate the complex restoration process. Progent understands the urgency of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to put critical services back on line as soon as possible.

Client Story: A Successful Ransomware Virus Restoration
A business escalated to Progent after their organization was crashed by the Ryuk ransomware virus. Ryuk is believed to have been created by North Korean state hackers, suspected of adopting strategies exposed from America's NSA organization. Ryuk targets specific companies with limited tolerance for operational disruption and is among the most lucrative iterations of ransomware malware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area and has about 500 staff members. The Ryuk penetration had brought down all company operations and manufacturing processes. Most of the client's data backups had been online at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (more than $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I can't say enough about the support Progent provided us throughout the most fearful time of (our) businesses survival. We would have paid the Hackers except for the confidence the Progent group provided us. The fact that you were able to get our messaging and important applications back on-line in less than five days was beyond my wildest dreams. Each consultant I got help from or e-mailed at Progent was absolutely committed on getting us operational and was working non-stop on our behalf."

Progent worked with the customer to quickly understand and prioritize the mission critical systems that had to be restored in order to resume company functions:

  • Active Directory
  • Microsoft Exchange
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes incident mitigation best practices by halting lateral movement and clearing infected systems. Progent then began the task of recovering Active Directory, the key technology of enterprise networks built on Microsoft Windows technology. Microsoft Exchange Server messaging will not work without Active Directory, and the client's MRP software utilized Microsoft SQL Server, which requires Active Directory for authentication to the database.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then completed setup and storage recovery on needed applications. All Exchange Server schema and attributes were intact, which accelerated the restore of Exchange. Progent was able to find intact OST files (Outlook Email Off-Line Data Files) on user workstations and laptops to recover mail information. A recent offline backup of the customer's manufacturing systems made it possible to restore these vital services back on-line. Although significant work was left to recover completely from the Ryuk attack, essential services were restored rapidly:


"For the most part, the production line operation did not miss a beat and we delivered all customer sales."

During the following few weeks critical milestones in the recovery project were completed in tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were restored without losing any information.
  • The MailStore Exchange Server exceeding four million archived messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables (AR)/Inventory Control modules were 100% operational.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Nearly all of the user PCs were functioning as before the incident.

"A lot of what was accomplished during the initial response is mostly a blur for me, but I will not soon forget the dedication each of you put in to help get our company back. I've been working together with Progent for the past ten years, possibly more, and every time Progent has shined and delivered as promised. This situation was a stunning achievement."

Conclusion
A probable business extinction catastrophe was averted with results-oriented professionals, a broad range of subject matter expertise, and close teamwork. Although in retrospect the ransomware penetration detailed here could have been blocked with advanced cyber security systems and security best practices, staff training, and properly executed incident response procedures for backup and proper patching controls, the reality is that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has extensive experience in crypto-ransomware virus defense, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were contributing), thank you for allowing me to get rested after we made it past the initial fire. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in San Antonio a variety of remote monitoring and security evaluation services to assist you to reduce your vulnerability to ransomware. These services include modern artificial intelligence technology to uncover new variants of crypto-ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network running at peak levels by tracking the state of critical computers that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT staff and your Progent engineering consultant so that all potential problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight LAN Watch with NinjaOne RMM: Centralized RMM for Networks, Servers, and Desktops
    ProSight LAN Watch with NinjaOne RMM software delivers a unified, cloud-based platform for managing your client-server infrastructure by providing an environment for streamlining common time-consuming tasks. These include health checking, patch management, automated remediation, endpoint setup, backup and restore, anti-virus defense, remote access, built-in and custom scripts, resource inventory, endpoint status reports, and troubleshooting assistance. When ProSight LAN Watch with NinjaOne RMM spots a serious issue, it sends an alarm to your specified IT management personnel and your Progent technical consultant so emerging issues can be taken care of before they interfere with your network. Find out more about ProSight LAN Watch with NinjaOne RMM server and desktop monitoring consulting.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for small and mid-sized organizations to map, track, enhance and debug their connectivity appliances such as routers, firewalls, and load balancers plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology maps are always updated, captures and displays the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming network management processes, ProSight WAN Watch can cut hours off common tasks like making network diagrams, reconfiguring your network, locating devices that need critical updates, or isolating performance problems. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time management reporting tools designed to work with the industry's top ticketing and remote network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as inconsistent support follow-through or endpoints with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with advanced backup technology companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and enable transparent backup and fast restoration of important files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets your business avoid data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, human error, malicious employees, or application bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top information security vendors to provide centralized control and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local security gateway appliance to offer complete protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device provides a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more details, visit Email Guard spam and content filtering.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a secured application and give your password you are requested to verify who you are via a unit that only you have and that uses a different ("out-of-band") network channel. A broad range of devices can be used as this second form of ID validation such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may designate several validation devices. For details about ProSight Duo identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Support Center managed services permit your information technology group to outsource Call Center services to Progent or split activity for support services transparently between your in-house network support staff and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent extension of your in-house network support staff. User interaction with the Help Desk, delivery of support services, escalation, trouble ticket creation and tracking, efficiency metrics, and management of the support database are consistent regardless of whether issues are resolved by your internal IT support organization, by Progent's team, or both. Read more about Progent's outsourced/co-managed Help Center services.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes cutting edge behavior-based machine learning tools to defend endpoint devices as well as servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching AV products. Progent ASM services safeguard local and cloud resources and offers a unified platform to address the entire malware attack lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware protection and recovery services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect information about your IT infrastructure, processes, business apps, and services. You can quickly locate passwords or serial numbers and be warned automatically about impending expirations of SSLs or warranties. By updating and organizing your network documentation, you can save up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're making improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require the instant you need it. Read more about ProSight IT Asset Management service.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of all sizes a flexible and affordable solution for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information network. Besides optimizing the protection and functionality of your IT network, Progent's software/firmware update management services permit your in-house IT staff to focus on line-of-business projects and activities that derive the highest business value from your network. Learn more about Progent's patch management services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Since the system is virtualized, it can be moved easily to an alternate hosting environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily get by legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a unified platform to automate the complete malware attack progression including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering through leading-edge technologies packaged within one agent accessible from a unified console. Progent's security and virtualization consultants can help you to design and configure a ProSight ESP environment that meets your organization's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate action. Progent's consultants can also assist you to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.
For 24x7 San Antonio Crypto Repair Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.