Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ExpertsCrypto-Ransomware has become a too-frequent cyberplague that represents an extinction-level threat for organizations poorly prepared for an attack. Different versions of crypto-ransomware like the CrySIS, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been running rampant for years and still inflict havoc. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with additional unnamed malware, not only do encryption of on-line data but also infect any available system protection. Files replicated to the cloud can also be held hostage. In a vulnerable environment, it can render automated restore operations impossible and basically knocks the datacenter back to zero.

Recovering services and information following a ransomware event becomes a race against time as the targeted organization struggles to stop the spread, clear the ransomware, and resume enterprise-critical activity. Due to the fact that ransomware requires time to replicate, penetrations are frequently sprung at night, when penetrations typically take longer to detect. This multiplies the difficulty of quickly marshalling and orchestrating a knowledgeable mitigation team.

Progent has a range of solutions for securing enterprises from ransomware events. These include staff education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning technology from SentinelOne to identify and suppress zero-day threats automatically. Progent in addition offers the services of veteran crypto-ransomware recovery consultants with the track record and perseverance to reconstruct a breached system as urgently as possible.

Progent's Ransomware Recovery Services
After a crypto-ransomware attack, paying the ransom in cryptocurrency does not guarantee that cyber hackers will provide the needed keys to unencrypt any of your information. Kaspersky determined that 17% of ransomware victims never restored their data after having paid the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms are often a few hundred thousand dollars. For larger enterprises, the ransom can reach millions. The fallback is to re-install the key parts of your Information Technology environment. Without access to complete information backups, this calls for a broad complement of skills, top notch team management, and the ability to work continuously until the recovery project is complete.

For twenty years, Progent has made available expert IT services for companies throughout the US and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have been awarded advanced certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has experience in financial systems and ERP application software. This breadth of expertise gives Progent the ability to efficiently understand necessary systems and integrate the surviving parts of your IT environment following a crypto-ransomware attack and rebuild them into a functioning system.

Progent's security team deploys best of breed project management tools to orchestrate the complicated restoration process. Progent understands the urgency of acting rapidly and together with a customer's management and Information Technology resources to assign priority to tasks and to get the most important systems back on-line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Attack Recovery
A business contacted Progent after their organization was attacked by Ryuk ransomware. Ryuk is generally considered to have been created by North Korean government sponsored criminal gangs, possibly using techniques exposed from America's National Security Agency. Ryuk goes after specific organizations with little or no tolerance for disruption and is among the most lucrative incarnations of crypto-ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturing company headquartered in Chicago with around 500 staff members. The Ryuk event had frozen all essential operations and manufacturing processes. Most of the client's backups had been online at the beginning of the attack and were eventually encrypted. The client considered paying the ransom (more than $200,000) and hoping for the best, but in the end brought in Progent.


"I can't speak enough in regards to the help Progent provided us throughout the most critical period of (our) company's life. We most likely would have paid the Hackers except for the confidence the Progent experts afforded us. The fact that you were able to get our messaging and production applications back on-line faster than 1 week was something I thought impossible. Every single expert I got help from or e-mailed at Progent was urgently focused on getting us back online and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to rapidly determine and assign priority to the mission critical applications that had to be restored in order to continue departmental operations:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To begin, Progent adhered to AV/Malware Processes incident mitigation best practices by stopping the spread and disinfecting systems. Progent then started the process of rebuilding Active Directory, the core of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange email will not work without Windows AD, and the client's accounting and MRP applications leveraged SQL Server, which depends on Active Directory services for access to the databases.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-penetration state. Progent then completed reinstallations and hard drive recovery of essential applications. All Exchange schema and configuration information were usable, which accelerated the restore of Exchange. Progent was able to find intact OST files (Outlook Offline Data Files) on various desktop computers and laptops in order to recover mail information. A recent off-line backup of the businesses accounting/ERP software made it possible to recover these vital programs back online for users. Although a lot of work remained to recover totally from the Ryuk damage, the most important services were restored rapidly:


"For the most part, the production manufacturing operation did not miss a beat and we delivered all customer sales."

During the next few weeks critical milestones in the restoration project were accomplished in close cooperation between Progent team members and the client:

  • Self-hosted web sites were restored without losing any data.
  • The MailStore Microsoft Exchange Server with over four million archived messages was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables (AR)/Inventory modules were 100 percent recovered.
  • A new Palo Alto 850 firewall was set up and programmed.
  • 90% of the user workstations were operational.

"A lot of what occurred in the initial days is mostly a fog for me, but our team will not soon forget the commitment all of the team accomplished to help get our company back. I have trusted Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This event was a Herculean accomplishment."

Conclusion
A probable company-ending disaster was dodged through the efforts of top-tier professionals, a wide array of technical expertise, and close collaboration. Although in post mortem the ransomware incident described here would have been blocked with modern security technology and security best practices, team education, and properly executed security procedures for backup and keeping systems up to date with security patches, the fact is that government-sponsored criminal cyber gangs from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has a proven track record in ransomware virus blocking, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were contributing), I'm grateful for allowing me to get some sleep after we got through the initial fire. All of you did an incredible effort, and if any of your guys is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Phoenix a portfolio of remote monitoring and security evaluation services to assist you to minimize your vulnerability to crypto-ransomware. These services incorporate modern AI capability to uncover zero-day variants of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to automate the entire malware attack progression including blocking, identification, mitigation, cleanup, and forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth security for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP uses contextual security and advanced heuristics for continuously monitoring and responding to security assaults from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within one agent accessible from a unified console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP environment that meets your company's specific needs and that helps you prove compliance with legal and industry information security regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent's consultants can also help you to set up and verify a backup and restore system like ProSight Data Protection Services so you can get back in business quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has partnered with leading backup software providers to produce ProSight Data Protection Services, a portfolio of management offerings that provide backup-as-a-service (BaaS). ProSight DPS products manage and monitor your data backup operations and allow transparent backup and fast restoration of important files, applications, images, plus virtual machines. ProSight DPS lets you protect against data loss caused by hardware breakdown, natural disasters, fire, cyber attacks such as ransomware, human error, ill-intentioned insiders, or application glitches. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security vendors to deliver centralized control and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway appliance to offer advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a preliminary barricade and keeps most threats from making it to your network firewall. This decreases your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a further layer of analysis for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam filtering, DLP, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized businesses to map out, track, enhance and debug their networking appliances such as routers, firewalls, and wireless controllers plus servers, printers, client computers and other networked devices. Using state-of-the-art RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of almost all devices connected to your network, tracks performance, and sends notices when issues are detected. By automating time-consuming management and troubleshooting processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, finding devices that require important software patches, or resolving performance issues. Find out more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network running at peak levels by checking the health of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent consultant so that any looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the client retains ownership of the data, the operating system platforms, and the apps. Because the environment is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, find and protect information about your network infrastructure, processes, business apps, and services. You can instantly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can save up to half of time wasted searching for critical information about your network. ProSight IT Asset Management includes a common location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're planning enhancements, doing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior analysis technology to guard endpoint devices as well as physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-matching AV products. Progent Active Security Monitoring services protect local and cloud resources and offers a unified platform to address the entire threat lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Call Center services allow your information technology team to offload Call Center services to Progent or split activity for support services transparently between your in-house support resources and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service provides a smooth supplement to your core support staff. User access to the Service Desk, delivery of support services, escalation, trouble ticket generation and tracking, performance metrics, and maintenance of the service database are consistent regardless of whether incidents are taken care of by your corporate IT support group, by Progent's team, or both. Read more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a flexible and cost-effective alternative for evaluating, validating, scheduling, implementing, and tracking updates to your dynamic IT network. Besides maximizing the security and reliability of your IT environment, Progent's software/firmware update management services permit your IT staff to focus on line-of-business projects and activities that deliver the highest business value from your information network. Read more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected application and give your password you are asked to confirm your identity on a device that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second means of ID validation such as a smartphone or watch, a hardware token, a landline phone, etc. You may register multiple verification devices. For details about ProSight Duo two-factor identity validation services, visit Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time reporting plug-ins created to work with the industry's top ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Phoenix 24x7x365 Ransomware Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.