Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that poses an extinction-level threat for organizations unprepared for an assault. Versions of crypto-ransomware like the Reveton, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been replicating for years and still inflict damage. Recent variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with daily as yet unnamed malware, not only encrypt online information but also infect any configured system backups. Files replicated to cloud environments can also be encrypted. In a poorly architected system, this can render automated restoration hopeless and basically knocks the network back to zero.

Recovering programs and data following a crypto-ransomware event becomes a race against time as the targeted organization fights to contain and remove the virus and to restore mission-critical activity. Because ransomware takes time to replicate, attacks are usually sprung during weekends and nights, when penetrations tend to take more time to recognize. This compounds the difficulty of quickly marshalling and organizing a capable mitigation team.

Progent provides an assortment of solutions for protecting businesses from crypto-ransomware events. Among these are staff education to help recognize and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security solutions with artificial intelligence capabilities from SentinelOne to discover and disable new cyber attacks intelligently. Progent in addition offers the assistance of veteran ransomware recovery professionals with the talent and perseverance to re-deploy a breached environment as quickly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware event, sending the ransom demands in cryptocurrency does not guarantee that distant criminals will return the codes to unencrypt all your data. Kaspersky Labs estimated that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to piece back together the mission-critical elements of your Information Technology environment. Without access to complete data backups, this requires a broad complement of skill sets, top notch team management, and the capability to work non-stop until the recovery project is finished.

For decades, Progent has made available expert IT services for businesses in Richmond and across the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have been awarded advanced industry certifications in key technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in accounting and ERP applications. This breadth of experience gives Progent the skills to knowledgably determine critical systems and consolidate the surviving parts of your IT system following a ransomware penetration and configure them into a functioning network.

Progent's security team deploys powerful project management tools to coordinate the complicated recovery process. Progent understands the urgency of acting swiftly and together with a client's management and Information Technology team members to assign priority to tasks and to put the most important applications back on-line as soon as possible.

Business Case Study: A Successful Ransomware Penetration Restoration
A client hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been launched by North Korean state sponsored hackers, possibly using techniques leaked from America's National Security Agency. Ryuk goes after specific organizations with little ability to sustain operational disruption and is one of the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area with about 500 employees. The Ryuk attack had disabled all business operations and manufacturing processes. The majority of the client's information backups had been on-line at the start of the intrusion and were destroyed. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I cannot tell you enough about the care Progent gave us during the most fearful time of (our) company's existence. We may have had to pay the Hackers except for the confidence the Progent experts provided us. That you could get our messaging and critical applications back in less than 1 week was incredible. Each expert I worked with or texted at Progent was laser focused on getting our company operational and was working all day and night to bail us out."

Progent worked together with the client to quickly get our arms around and prioritize the critical applications that had to be restored in order to continue company operations:

  • Active Directory (AD)
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus penetration mitigation best practices by halting the spread and cleaning systems of viruses. Progent then started the task of recovering Microsoft Active Directory, the heart of enterprise environments built upon Microsoft technology. Exchange email will not work without Active Directory, and the customer's accounting and MRP software used Microsoft SQL Server, which depends on Active Directory services for authentication to the data.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-intrusion state. Progent then charged ahead with reinstallations and storage recovery of essential applications. All Exchange schema and attributes were usable, which greatly helped the rebuild of Exchange. Progent was able to collect non-encrypted OST data files (Outlook Email Offline Folder Files) on team PCs and laptops in order to recover mail information. A recent off-line backup of the businesses manufacturing software made them able to restore these required services back available to users. Although significant work still had to be done to recover completely from the Ryuk attack, critical services were recovered quickly:


"For the most part, the assembly line operation was never shut down and we made all customer orders."

During the following month key milestones in the restoration process were accomplished in close collaboration between Progent team members and the client:

  • In-house web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/AR/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Ninety percent of the user workstations were being used by staff.

"A huge amount of what went on those first few days is nearly entirely a blur for me, but we will not forget the commitment each of the team accomplished to give us our company back. I've utilized Progent for at least 10 years, maybe more, and each time Progent has shined and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A potential company-ending catastrophe was evaded by dedicated experts, a wide spectrum of technical expertise, and tight collaboration. Although in hindsight the ransomware attack detailed here would have been prevented with advanced security technology and recognized best practices, team education, and properly executed incident response procedures for data backup and applying software patches, the reality is that government-sponsored cybercriminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware penetration, remember that Progent's team of experts has proven experience in ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), I'm grateful for letting me get some sleep after we made it over the initial fire. Everyone did an amazing job, and if anyone is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Richmond a portfolio of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services utilize modern AI capability to uncover new variants of crypto-ransomware that are able to escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that incorporates SentinelOne's next generation behavior-based machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud resources and provides a unified platform to manage the entire malware attack progression including blocking, infiltration detection, mitigation, cleanup, and post-attack forensics. Top features include one-click rollback with Windows VSS and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer economical multi-layer protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that call for immediate attention. Progent can also help your company to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore software providers to produce ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and enable non-disruptive backup and fast restoration of vital files/folders, apps, system images, plus virtual machines. ProSight DPS helps your business recover from data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks like ransomware, user error, ill-intentioned employees, or software bugs. Managed services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to provide centralized management and comprehensive security for all your email traffic. The hybrid structure of Email Guard managed service combines cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. The cloud filter acts as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the local security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and affordable for small and mid-sized organizations to map out, track, enhance and troubleshoot their networking hardware such as routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art RMM technology, WAN Watch ensures that network diagrams are always current, captures and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when potential issues are detected. By automating complex network management processes, ProSight WAN Watch can cut hours off ordinary tasks like network mapping, reconfiguring your network, finding devices that require important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses state-of-the-art remote monitoring and management techniques to keep your IT system operating efficiently by tracking the health of vital assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so any looming issues can be resolved before they have a chance to impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual machine host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Since the system is virtualized, it can be moved immediately to an alternate hosting environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, find and safeguard data related to your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSLs or warranties. By updating and organizing your IT documentation, you can eliminate as much as 50% of time wasted searching for vital information about your network. ProSight IT Asset Management features a common repository for storing and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes cutting edge behavior machine learning technology to guard endpoint devices and servers and VMs against new malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. Progent ASM services protect on-premises and cloud-based resources and provides a unified platform to address the complete malware attack progression including protection, infiltration detection, containment, cleanup, and forensics. Top capabilities include single-click rollback with Windows VSS and automatic network-wide immunization against newly discovered threats. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Call Center: Help Desk Managed Services
    Progent's Call Center services allow your information technology group to outsource Support Desk services to Progent or split responsibilities for Service Desk support transparently between your in-house support team and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk offers a seamless extension of your core IT support group. User interaction with the Help Desk, delivery of support services, issue escalation, ticket creation and updates, efficiency metrics, and management of the support database are cohesive whether issues are resolved by your internal IT support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a flexible and affordable solution for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. In addition to optimizing the protection and reliability of your computer environment, Progent's patch management services free up time for your IT staff to focus on line-of-business initiatives and tasks that deliver maximum business value from your information network. Read more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to protect against stolen passwords by using two-factor authentication. Duo enables one-tap identity confirmation on iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you sign into a protected online account and enter your password you are asked to confirm who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this added means of authentication including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can register multiple verification devices. To learn more about Duo two-factor identity authentication services, refer to Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing suite of real-time and in-depth reporting tools designed to integrate with the industry's top ticketing and remote network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues such as spotty support follow-through or machines with out-of-date AVs. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring platforms.
For Richmond 24-Hour Crypto-Ransomware Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.