Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that represents an existential threat for businesses poorly prepared for an assault. Different iterations of ransomware such as CryptoLocker, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for many years and still inflict havoc. Recent variants of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Nephilim, along with more unnamed newcomers, not only do encryption of on-line files but also infiltrate any available system backups. Files synchronized to off-site disaster recovery sites can also be rendered useless. In a poorly designed system, it can render any restoration hopeless and effectively knocks the datacenter back to square one.

Retrieving applications and information after a ransomware outage becomes a race against the clock as the targeted business tries its best to contain the damage and clear the ransomware and to restore business-critical operations. Due to the fact that crypto-ransomware requires time to replicate, penetrations are usually launched during nights and weekends, when attacks in many cases take longer to discover. This multiplies the difficulty of promptly assembling and organizing an experienced mitigation team.

Progent offers an assortment of solutions for securing businesses from ransomware attacks. These include team education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security solutions with AI capabilities from SentinelOne to discover and quarantine day-zero cyber attacks rapidly. Progent also provides the assistance of seasoned ransomware recovery engineers with the skills and perseverance to rebuild a compromised network as soon as possible.

Progent's Crypto-Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will provide the keys to unencrypt any of your files. Kaspersky estimated that 17% of ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The risk is also very costly. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET determined to be around $13,000. The other path is to setup from scratch the critical elements of your Information Technology environment. Without the availability of essential information backups, this calls for a wide range of IT skills, professional project management, and the capability to work non-stop until the task is over.

For twenty years, Progent has offered certified expert Information Technology services for companies in Leeds and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes consultants who have been awarded top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have garnered internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP application software. This breadth of experience affords Progent the ability to knowledgably ascertain necessary systems and organize the remaining parts of your Information Technology environment after a crypto-ransomware penetration and configure them into a functioning network.

Progent's security team utilizes best of breed project management systems to orchestrate the complicated restoration process. Progent knows the urgency of working quickly and in unison with a client's management and Information Technology staff to prioritize tasks and to put the most important systems back on-line as soon as humanly possible.

Case Study: A Successful Ransomware Incident Recovery
A client engaged Progent after their organization was penetrated by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored criminal gangs, suspected of adopting algorithms exposed from America�s National Security Agency. Ryuk seeks specific businesses with little room for disruption and is among the most profitable versions of ransomware malware. Major organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in Chicago with around 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing processes. Most of the client's data protection had been online at the start of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for the best, but ultimately called Progent.

"I can�t say enough in regards to the expertise Progent provided us throughout the most stressful period of (our) businesses survival. We had little choice but to pay the hackers behind this attack if not for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and production applications back in less than seven days was something I thought impossible. Each staff member I worked with or messaged at Progent was absolutely committed on getting our company operational and was working day and night to bail us out."

Progent worked together with the customer to rapidly understand and assign priority to the mission critical applications that had to be addressed to make it possible to restart business operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes incident mitigation industry best practices by halting the spread and performing virus removal steps. Progent then initiated the steps of recovering Microsoft AD, the core of enterprise systems built on Microsoft technology. Microsoft Exchange Server email will not work without AD, and the businesses� MRP system leveraged Microsoft SQL Server, which requires Active Directory services for access to the database.

In less than two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then charged ahead with rebuilding and storage recovery on key applications. All Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to find local OST files (Microsoft Outlook Off-Line Data Files) on staff workstations and laptops to recover mail data. A not too old offline backup of the customer�s financials/MRP software made them able to restore these required services back available to users. Although a large amount of work was left to recover totally from the Ryuk virus, the most important systems were recovered rapidly:

"For the most part, the manufacturing operation never missed a beat and we did not miss any customer orders."

During the next couple of weeks key milestones in the restoration project were completed in close cooperation between Progent consultants and the client:

  • Self-hosted web sites were returned to operation without losing any information.
  • The MailStore Exchange Server exceeding 4 million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/AR/Inventory capabilities were fully functional.
  • A new Palo Alto Networks 850 firewall was brought on-line.
  • 90% of the user desktops were fully operational.

"A huge amount of what went on in the initial days is nearly entirely a haze for me, but my team will not soon forget the urgency each and every one of your team accomplished to help get our company back. I have been working with Progent for the past ten years, maybe more, and each time I needed help Progent has impressed me and delivered. This event was no exception but maybe more Herculean."

A potential business extinction catastrophe was evaded by dedicated experts, a broad spectrum of knowledge, and close collaboration. Although upon completion of forensics the crypto-ransomware penetration described here should have been shut down with modern cyber security solutions and ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for information backup and applying software patches, the reality is that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of experts has proven experience in crypto-ransomware virus defense, removal, and file recovery.

"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), I�m grateful for allowing me to get rested after we got over the initial fire. All of you did an amazing job, and if any of your guys is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Leeds a range of remote monitoring and security evaluation services to help you to reduce the threat from ransomware. These services incorporate modern AI capability to uncover new variants of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including blocking, identification, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alerts, device management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a single control. Progent's security and virtualization consultants can help your business to plan and implement a ProSight ESP environment that meets your company's specific requirements and that allows you prove compliance with government and industry information security regulations. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that require immediate action. Progent can also assist your company to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software companies to produce ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your data backup processes and allow non-disruptive backup and rapid restoration of critical files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from hardware breakdown, natural calamities, fire, malware such as ransomware, human mistakes, ill-intentioned employees, or application glitches. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to provide centralized control and world-class protection for all your email traffic. The hybrid structure of Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to provide advanced protection against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter acts as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and protect internal email traffic that stays within your security perimeter. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to diagram, track, reconfigure and debug their connectivity appliances such as routers and switches, firewalls, and wireless controllers as well as servers, client computers and other devices. Using state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating time-consuming management processes, ProSight WAN Watch can cut hours off ordinary tasks such as network mapping, reconfiguring your network, locating appliances that require important software patches, or isolating performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to help keep your IT system running efficiently by checking the state of vital computers that drive your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT personnel and your Progent engineering consultant so all potential problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. Under the ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting environment without a lengthy and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and safeguard data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By cleaning up and organizing your network documentation, you can save as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management includes a common repository for holding and collaborating on all documents related to managing your business network such as recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and associating IT data. Whether youre making enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management delivers the data you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to defend endpoints and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a unified platform to address the entire threat progression including protection, infiltration detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Center: Support Desk Managed Services
    Progent's Call Desk services enable your IT staff to offload Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal support team and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Shared Service Desk offers a transparent supplement to your core support team. User interaction with the Help Desk, provision of support, issue escalation, ticket generation and tracking, efficiency measurement, and management of the support database are consistent regardless of whether incidents are taken care of by your corporate network support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Call Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for patch management provide organizations of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, applying, and tracking updates to your dynamic IT system. In addition to maximizing the security and reliability of your computer environment, Progent's patch management services permit your in-house IT staff to concentrate on line-of-business projects and activities that derive the highest business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication. Duo supports one-tap identity verification with Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, whenever you log into a protected online account and give your password you are requested to confirm who you are via a device that only you have and that is accessed using a separate network channel. A wide selection of devices can be utilized for this second form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline telephone, etc. You may register several validation devices. For more information about Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.
For 24/7 Leeds Ransomware Repair Support Services, call Progent at 800-462-8800 or go to Contact Progent.