Ransomware : Your Feared Information Technology Catastrophe
Crypto-Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that represents an enterprise-level danger for businesses of all sizes poorly prepared for an assault. Versions of ransomware like the Reveton, Fusob, Locky, NotPetya and MongoLock cryptoworms have been around for years and still inflict havoc. The latest variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, as well as more unnamed viruses, not only do encryption of online critical data but also infect all accessible system backup. Information synched to the cloud can also be rendered useless. In a vulnerable data protection solution, it can render automated restore operations impossible and basically sets the entire system back to square one.

Retrieving programs and data after a crypto-ransomware outage becomes a sprint against the clock as the targeted business struggles to stop the spread and cleanup the crypto-ransomware and to restore enterprise-critical activity. Because ransomware needs time to move laterally, penetrations are often launched on weekends and holidays, when successful attacks in many cases take longer to uncover. This compounds the difficulty of promptly assembling and organizing a capable response team.

Progent makes available an assortment of support services for securing enterprises from ransomware events. These include user education to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with installation of the latest generation security solutions with AI technology from SentinelOne to discover and quarantine zero-day cyber attacks rapidly. Progent in addition provides the assistance of veteran ransomware recovery consultants with the skills and perseverance to restore a breached network as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Soon after a ransomware attack, sending the ransom demands in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the needed codes to decipher any of your data. Kaspersky Labs determined that 17% of crypto-ransomware victims never restored their information even after having paid the ransom, resulting in more losses. The gamble is also costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to re-install the essential elements of your Information Technology environment. Absent the availability of essential system backups, this calls for a broad range of IT skills, professional team management, and the willingness to work 24x7 until the job is over.

For decades, Progent has provided expert IT services for businesses in Phoenix and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with financial management and ERP software solutions. This breadth of experience affords Progent the capability to rapidly ascertain critical systems and re-organize the remaining parts of your computer network environment following a crypto-ransomware event and rebuild them into a functioning network.

Progent's recovery team of experts uses best of breed project management systems to coordinate the complicated restoration process. Progent understands the importance of working swiftly and in concert with a client's management and Information Technology team members to prioritize tasks and to get essential services back online as soon as humanly possible.

Client Story: A Successful Crypto-Ransomware Intrusion Recovery
A customer hired Progent after their network system was attacked by Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored criminal gangs, possibly adopting techniques leaked from America�s NSA organization. Ryuk seeks specific businesses with little ability to sustain disruption and is among the most lucrative examples of crypto-ransomware. Well Known targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has about 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. The majority of the client's data protection had been directly accessible at the beginning of the intrusion and were eventually encrypted. The client was evaluating paying the ransom demand (in excess of two hundred thousand dollars) and praying for the best, but in the end reached out to Progent.


"I cannot speak enough in regards to the support Progent gave us throughout the most fearful time of (our) businesses existence. We would have paid the cybercriminals if it wasn�t for the confidence the Progent group gave us. The fact that you could get our e-mail and key applications back into operation in less than 1 week was beyond my wildest dreams. Every single expert I interacted with or communicated with at Progent was hell bent on getting us restored and was working non-stop to bail us out."

Progent worked together with the customer to quickly assess and prioritize the critical services that had to be recovered to make it possible to continue business operations:

  • Microsoft Active Directory
  • E-Mail
  • Accounting/MRP
To begin, Progent adhered to ransomware incident response industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the work of rebuilding Active Directory, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Active Directory, and the customer�s financials and MRP software leveraged Microsoft SQL Server, which requires Active Directory services for authentication to the data.

Within 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then performed rebuilding and storage recovery on key systems. All Microsoft Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Off-Line Data Files) on user workstations in order to recover email information. A not too old off-line backup of the businesses financials/MRP software made it possible to recover these essential applications back online for users. Although significant work still had to be done to recover totally from the Ryuk virus, the most important systems were recovered rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we produced all customer deliverables."

During the next couple of weeks important milestones in the restoration process were achieved in close collaboration between Progent team members and the client:

  • Self-hosted web applications were brought back up without losing any information.
  • The MailStore Exchange Server containing more than 4 million historical messages was brought on-line and available for users.
  • CRM/Orders/Invoices/AP/AR/Inventory functions were fully operational.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the user desktops and notebooks were fully operational.

"A huge amount of what was accomplished during the initial response is nearly entirely a blur for me, but my management will not soon forget the countless hours each and every one of you accomplished to help get our business back. I have entrusted Progent for the past 10 years, maybe more, and every time I needed help Progent has shined and delivered. This event was no exception but maybe more Herculean."

Conclusion
A possible enterprise-killing disaster was avoided through the efforts of results-oriented professionals, a broad range of IT skills, and close collaboration. Although in analyzing the event afterwards the ransomware incident detailed here would have been prevented with current security systems and ISO/IEC 27001 best practices, user training, and properly executed incident response procedures for information backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware penetration, remember that Progent's roster of professionals has a proven track record in ransomware virus defense, mitigation, and data recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I�m grateful for allowing me to get some sleep after we made it through the initial push. All of you did an impressive effort, and if anyone is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Phoenix a variety of online monitoring and security assessment services designed to help you to minimize your vulnerability to crypto-ransomware. These services include modern machine learning capability to uncover new variants of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) service that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which routinely get by legacy signature-matching AV products. ProSight ASM safeguards local and cloud-based resources and offers a unified platform to automate the entire threat progression including blocking, detection, containment, remediation, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer security for physical and virtual servers, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alerts, device control, and web filtering via cutting-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with government and industry information protection regulations. Progent will assist you define and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent can also assist you to install and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services, a family of offerings that deliver backup-as-a-service. ProSight DPS services manage and monitor your backup operations and allow transparent backup and rapid restoration of vital files, applications, system images, and VMs. ProSight DPS helps your business recover from data loss caused by equipment breakdown, natural calamities, fire, malware like ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of top information security vendors to provide centralized control and comprehensive protection for all your inbound and outbound email. The powerful structure of Progent's Email Guard integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your exposure to inbound threats and conserves system bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also help Exchange Server to track and protect internal email traffic that stays within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, optimize and debug their networking appliances like routers and switches, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network maps are always updated, captures and displays the configuration of almost all devices connected to your network, monitors performance, and sends alerts when problems are detected. By automating complex management processes, WAN Watch can knock hours off common chores like network mapping, expanding your network, finding appliances that need critical software patches, or isolating performance problems. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system running at peak levels by checking the health of vital assets that drive your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so that all potential problems can be resolved before they have a chance to impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual host configured and managed by Progent's IT support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Since the environment is virtualized, it can be ported immediately to a different hardware solution without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied one hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or warranties. By updating and managing your network documentation, you can eliminate as much as 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT information. Whether youre planning improvements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior analysis tools to guard endpoint devices and servers and VMs against new malware assaults such as ransomware and email phishing, which routinely evade legacy signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud resources and provides a single platform to automate the entire threat lifecycle including protection, detection, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Help Center managed services allow your information technology team to offload Call Center services to Progent or split activity for support services seamlessly between your in-house support group and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless supplement to your internal network support resources. Client access to the Service Desk, delivery of support, escalation, trouble ticket generation and updates, performance measurement, and management of the service database are cohesive regardless of whether incidents are taken care of by your core IT support group, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management offer businesses of any size a flexible and affordable alternative for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information network. Besides optimizing the protection and functionality of your IT network, Progent's software/firmware update management services allow your IT staff to concentrate on more strategic projects and tasks that deliver maximum business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against password theft by using two-factor authentication. Duo enables one-tap identity confirmation with Apple iOS, Google Android, and other personal devices. With 2FA, when you sign into a protected application and enter your password you are asked to confirm who you are on a unit that only you possess and that is accessed using a separate network channel. A broad selection of out-of-band devices can be utilized for this added form of ID validation such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. To find out more about Duo identity validation services, visit Duo MFA two-factor authentication (2FA) services.
For 24-7 Phoenix Crypto-Ransomware Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.