Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that presents an enterprise-level danger for businesses poorly prepared for an attack. Different iterations of crypto-ransomware like the CrySIS, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and still cause havoc. More recent versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus more as yet unnamed malware, not only encrypt on-line critical data but also infiltrate all available system protection. Files synched to cloud environments can also be encrypted. In a poorly architected data protection solution, it can make automated restoration hopeless and effectively knocks the entire system back to square one.

Retrieving services and information after a ransomware intrusion becomes a race against the clock as the victim fights to stop lateral movement and clear the ransomware and to restore mission-critical activity. Since crypto-ransomware needs time to spread, assaults are frequently sprung on weekends, when attacks in many cases take longer to notice. This compounds the difficulty of promptly assembling and coordinating an experienced mitigation team.

Progent offers a variety of help services for securing enterprises from ransomware penetrations. These include team education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security gateways with artificial intelligence capabilities from SentinelOne to identify and quarantine day-zero threats intelligently. Progent in addition provides the services of experienced ransomware recovery engineers with the track record and commitment to re-deploy a compromised environment as soon as possible.

Progent's Ransomware Restoration Support Services
Soon after a crypto-ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that distant criminals will return the needed keys to decrypt all your files. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to re-install the mission-critical parts of your IT environment. Absent the availability of full data backups, this requires a broad complement of IT skills, well-coordinated team management, and the willingness to work 24x7 until the task is completed.

For decades, Progent has offered certified expert Information Technology services for businesses in Leeds and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise affords Progent the ability to efficiently ascertain critical systems and re-organize the remaining parts of your network system after a ransomware attack and configure them into an operational system.

Progent's recovery team of experts uses top notch project management tools to orchestrate the sophisticated recovery process. Progent understands the importance of working swiftly and together with a customer's management and IT staff to assign priority to tasks and to get the most important systems back online as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Restoration
A business engaged Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is believed to have been created by Northern Korean state cybercriminals, possibly adopting technology exposed from the U.S. NSA organization. Ryuk targets specific companies with limited tolerance for operational disruption and is among the most profitable incarnations of ransomware viruses. High publicized victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company headquartered in Chicago with around 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing processes. Most of the client's data protection had been online at the beginning of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (more than $200,000) and praying for good luck, but ultimately engaged Progent.


"I can't say enough in regards to the help Progent gave us during the most fearful time of (our) businesses life. We would have paid the cyber criminals if it wasn't for the confidence the Progent experts gave us. That you were able to get our e-mail and essential applications back online sooner than five days was beyond my wildest dreams. Each expert I talked with or texted at Progent was totally committed on getting us back online and was working non-stop to bail us out."

Progent worked hand in hand the client to quickly understand and assign priority to the essential elements that had to be recovered to make it possible to restart business operations:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware incident mitigation industry best practices by isolating and removing active viruses. Progent then began the work of recovering Windows Active Directory, the key technology of enterprise systems built on Microsoft technology. Exchange messaging will not function without AD, and the businesses' financials and MRP software leveraged Microsoft SQL, which needs Windows AD for authentication to the databases.

In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then charged ahead with setup and hard drive recovery of essential applications. All Exchange Server schema and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to find local OST files (Outlook Email Off-Line Folder Files) on team PCs in order to recover mail data. A not too old offline backup of the customer's financials/ERP systems made it possible to restore these required applications back online. Although significant work remained to recover fully from the Ryuk virus, essential systems were restored quickly:


"For the most part, the production operation was never shut down and we made all customer sales."

Over the following few weeks critical milestones in the recovery process were made in close collaboration between Progent engineers and the client:

  • In-house web applications were returned to operation with no loss of data.
  • The MailStore Microsoft Exchange Server with over four million historical messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/AP/Accounts Receivables/Inventory capabilities were 100 percent operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Ninety percent of the user PCs were back into operation.

"Much of what occurred in the early hours is nearly entirely a blur for me, but my management will not forget the dedication all of you accomplished to help get our company back. I've entrusted Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This time was no exception but maybe more Herculean."

Conclusion
A possible enterprise-killing disaster was evaded by results-oriented professionals, a wide range of technical expertise, and tight teamwork. Although in post mortem the crypto-ransomware virus attack detailed here would have been identified and prevented with current security solutions and recognized best practices, team training, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the reality is that government-sponsored hackers from Russia, China and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has proven experience in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), thanks very much for allowing me to get rested after we got past the initial fire. All of you did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Leeds a range of online monitoring and security assessment services to assist you to reduce your vulnerability to ransomware. These services utilize modern machine learning technology to detect zero-day strains of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-matching anti-virus products. ProSight ASM protects on-premises and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including protection, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) managed services deliver ultra-affordable in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP provides firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge technologies packaged within a single agent accessible from a unified console. Progent's security and virtualization experts can help your business to plan and configure a ProSight ESP environment that meets your organization's specific needs and that allows you achieve and demonstrate compliance with government and industry information protection standards. Progent will help you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that require immediate attention. Progent can also assist you to install and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products automate and track your backup operations and allow non-disruptive backup and fast restoration of vital files, applications, images, plus VMs. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural calamities, fire, cyber attacks like ransomware, user error, malicious employees, or application glitches. Managed backup services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security vendors to deliver web-based control and comprehensive protection for all your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your network firewall. This reduces your vulnerability to external attacks and saves network bandwidth and storage space. Email Guard's on-premises gateway device provides a deeper level of analysis for inbound email. For outbound email, the local security gateway offers AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more information, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for smaller organizations to map out, monitor, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Incorporating cutting-edge RMM technology, WAN Watch makes sure that infrastructure topology maps are always updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious management activities, WAN Watch can knock hours off common chores like making network diagrams, expanding your network, locating appliances that need critical updates, or isolating performance problems. Learn more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management personnel and your Progent consultant so that all potential problems can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to a different hosting environment without requiring a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSL certificates or domains. By cleaning up and managing your IT infrastructure documentation, you can save as much as 50% of time wasted trying to find vital information about your network. ProSight IT Asset Management features a common location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT information. Whether you're planning improvements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to guard endpoints and servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-matching AV products. Progent ASM services protect on-premises and cloud-based resources and offers a unified platform to manage the complete threat progression including protection, detection, containment, cleanup, and post-attack forensics. Key features include single-click rollback with Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Call Desk managed services allow your information technology team to outsource Support Desk services to Progent or split activity for support services seamlessly between your internal network support staff and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent extension of your in-house IT support group. End user access to the Service Desk, delivery of support, issue escalation, ticket creation and updates, performance measurement, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your core support group, by Progent, or both. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a flexible and cost-effective alternative for evaluating, validating, scheduling, applying, and documenting updates to your dynamic IT system. Besides maximizing the protection and functionality of your IT network, Progent's patch management services allow your in-house IT team to concentrate on more strategic initiatives and tasks that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, whenever you sign into a protected online account and enter your password you are asked to verify your identity via a device that only you possess and that uses a different network channel. A broad range of out-of-band devices can be used for this second means of authentication including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You can register several verification devices. To learn more about ProSight Duo identity authentication services, see Duo MFA two-factor authentication (2FA) services for access security.
For 24/7/365 Leeds Crypto-Ransomware Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.