Ransomware : Your Worst IT Disaster
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that poses an existential danger for organizations unprepared for an assault. Different iterations of ransomware like the CryptoLocker, Fusob, Locky, SamSam and MongoLock cryptoworms have been replicating for years and still cause harm. The latest versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with frequent unnamed newcomers, not only do encryption of online files but also infiltrate any accessible system backups. Information synched to the cloud can also be ransomed. In a poorly designed system, this can make automatic restoration impossible and basically knocks the datacenter back to zero.

Recovering programs and data following a ransomware event becomes a race against time as the targeted business tries its best to contain and eradicate the crypto-ransomware and to restore business-critical activity. Due to the fact that crypto-ransomware takes time to spread, penetrations are usually launched at night, when successful penetrations may take more time to recognize. This compounds the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent has an assortment of help services for securing enterprises from ransomware events. These include team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and suppress zero-day cyber threats intelligently. Progent in addition provides the assistance of expert ransomware recovery professionals with the talent and commitment to re-deploy a compromised network as soon as possible.

Progent's Ransomware Recovery Support Services
After a crypto-ransomware attack, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber criminals will return the keys to decrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the mission-critical parts of your IT environment. Without access to complete system backups, this calls for a wide complement of skill sets, professional team management, and the ability to work 24x7 until the task is completed.

For decades, Progent has offered professional Information Technology services for companies in Phoenix and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned industry certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has experience in financial systems and ERP application software. This breadth of experience provides Progent the ability to rapidly identify critical systems and consolidate the remaining parts of your network environment after a ransomware penetration and configure them into a functioning system.

Progent's security team deploys powerful project management systems to orchestrate the complicated recovery process. Progent appreciates the importance of acting quickly and in concert with a client's management and IT staff to assign priority to tasks and to get key services back online as soon as possible.

Client Case Study: A Successful Ransomware Attack Restoration
A business engaged Progent after their organization was penetrated by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean government sponsored hackers, suspected of using approaches exposed from the U.S. NSA organization. Ryuk seeks specific businesses with little or no tolerance for disruption and is one of the most profitable versions of ransomware. Well Known organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company based in the Chicago metro area and has about 500 workers. The Ryuk attack had frozen all company operations and manufacturing processes. Most of the client's information backups had been on-line at the time of the attack and were damaged. The client was pursuing financing for paying the ransom (exceeding $200K) and hoping for the best, but in the end made the decision to use Progent.


"I can't tell you enough about the care Progent provided us during the most stressful time of (our) company's survival. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent team provided us. The fact that you could get our e-mail system and important servers back sooner than five days was earth shattering. Every single staff member I talked with or e-mailed at Progent was amazingly focused on getting us back online and was working 24/7 to bail us out."

Progent worked hand in hand the client to rapidly identify and prioritize the critical applications that had to be restored in order to resume business operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Financials/MRP
To start, Progent followed ransomware penetration mitigation industry best practices by isolating and removing active viruses. Progent then began the task of bringing back online Active Directory, the core of enterprise environments built upon Microsoft technology. Exchange email will not work without Windows AD, and the customer's MRP applications used SQL Server, which needs Active Directory for access to the information.

In less than two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then performed reinstallations and hard drive recovery of key systems. All Microsoft Exchange Server data and attributes were intact, which greatly helped the restore of Exchange. Progent was also able to assemble local OST files (Outlook Email Offline Folder Files) on various PCs and laptops in order to recover mail information. A not too old offline backup of the businesses accounting software made it possible to restore these essential applications back available to users. Although a lot of work still had to be done to recover completely from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we did not miss any customer orders."

Over the next month important milestones in the recovery process were made through close collaboration between Progent engineers and the client:

  • In-house web applications were restored without losing any data.
  • The MailStore Exchange Server containing more than four million historical messages was brought online and accessible to users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control modules were 100% functional.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user workstations were operational.

"A huge amount of what happened during the initial response is nearly entirely a blur for me, but we will not forget the commitment each of your team put in to help get our company back. I have been working with Progent for the past 10 years, possibly more, and each time Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A potential company-ending disaster was dodged through the efforts of hard-working experts, a broad array of subject matter expertise, and close teamwork. Although in post mortem the ransomware virus attack described here should have been identified and disabled with modern security technology and NIST Cybersecurity Framework best practices, staff training, and appropriate incident response procedures for backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of experts has extensive experience in ransomware virus blocking, mitigation, and information systems disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), I'm grateful for allowing me to get some sleep after we made it through the initial push. All of you did an amazing job, and if any of your team is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Phoenix a variety of remote monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services incorporate next-generation machine learning capability to detect zero-day strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to address the complete threat progression including blocking, infiltration detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer economical in-depth security for physical and virtual servers, workstations, mobile devices, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools incorporated within one agent managed from a unified console. Progent's data protection and virtualization consultants can assist your business to plan and implement a ProSight ESP environment that meets your organization's specific requirements and that helps you prove compliance with government and industry information protection regulations. Progent will assist you specify and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also assist your company to install and test a backup and restore solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a selection of management offerings that deliver backup-as-a-service. ProSight DPS services manage and track your data backup processes and enable non-disruptive backup and rapid recovery of important files/folders, apps, images, and virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, user mistakes, ill-intentioned employees, or application bugs. Managed services in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading data security vendors to deliver centralized control and comprehensive security for all your inbound and outbound email. The powerful structure of Email Guard integrates cloud-based filtering with an on-premises security gateway appliance to offer advanced defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. Email Guard's Cloud Protection Layer acts as a first line of defense and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway appliance adds a deeper layer of inspection for incoming email. For outgoing email, the onsite gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite security gateway can also help Exchange Server to track and safeguard internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to diagram, track, optimize and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, printers, endpoints and other networked devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and displays the configuration information of virtually all devices connected to your network, monitors performance, and sends notices when problems are detected. By automating time-consuming management activities, WAN Watch can cut hours off ordinary tasks such as making network diagrams, reconfiguring your network, finding devices that need critical software patches, or isolating performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by tracking the health of critical assets that drive your information system. When ProSight LAN Watch detects a problem, an alert is sent immediately to your specified IT personnel and your Progent consultant so that all potential problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual host configured and maintained by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the applications. Since the environment is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, maintain, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned automatically about impending expirations of SSL certificates or domains. By updating and managing your network documentation, you can save up to half of time thrown away searching for vital information about your network. ProSight IT Asset Management includes a centralized repository for storing and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes next generation behavior analysis tools to guard endpoint devices as well as physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus tools. Progent ASM services safeguard on-premises and cloud resources and provides a unified platform to automate the entire threat progression including filtering, detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Center: Call Center Managed Services
    Progent's Support Center services permit your information technology staff to outsource Call Center services to Progent or divide activity for Service Desk support transparently between your internal network support group and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Shared Service Desk provides a transparent extension of your internal network support staff. End user access to the Help Desk, provision of support services, problem escalation, ticket generation and updates, performance metrics, and management of the service database are cohesive whether issues are resolved by your core network support group, by Progent's team, or a mix of the two. Read more about Progent's outsourced/shared Help Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer organizations of any size a flexible and cost-effective solution for evaluating, validating, scheduling, applying, and documenting updates to your dynamic IT network. Besides maximizing the protection and functionality of your IT environment, Progent's software/firmware update management services free up time for your IT staff to focus on line-of-business initiatives and tasks that derive maximum business value from your network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification on iOS, Google Android, and other personal devices. With Duo 2FA, whenever you sign into a protected online account and enter your password you are requested to verify your identity via a unit that only you have and that uses a separate network channel. A wide range of devices can be utilized as this added means of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can register multiple verification devices. For more information about ProSight Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.
For Phoenix 24/7/365 Crypto Remediation Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.