Ransomware : Your Worst Information Technology Nightmare
Ransomware  Recovery ProfessionalsCrypto-Ransomware has become a modern cyberplague that presents an existential danger for businesses of all sizes vulnerable to an assault. Different versions of crypto-ransomware like the CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. Recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with more as yet unnamed viruses, not only do encryption of online data files but also infect all available system restores and backups. Information synched to off-site disaster recovery sites can also be ransomed. In a vulnerable data protection solution, this can make automatic recovery impossible and basically knocks the datacenter back to square one.

Getting back online services and data following a ransomware outage becomes a sprint against time as the victim tries its best to contain the damage, remove the crypto-ransomware, and restore business-critical operations. Because crypto-ransomware requires time to move laterally, attacks are often sprung during nights and weekends, when penetrations tend to take more time to discover. This compounds the difficulty of promptly marshalling and organizing a qualified response team.

Progent makes available a variety of help services for securing enterprises from ransomware attacks. These include team member training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to setup and configuration of modern security solutions with artificial intelligence capabilities from SentinelOne to identify and extinguish day-zero cyber attacks automatically. Progent also provides the services of seasoned ransomware recovery consultants with the skills and commitment to re-deploy a breached system as urgently as possible.

Progent's Ransomware Restoration Help
After a ransomware invasion, sending the ransom in cryptocurrency does not ensure that cyber criminals will return the codes to decipher any of your information. Kaspersky determined that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms are commonly several hundred thousand dollars. For larger organizations, the ransom can be in the millions. The alternative is to piece back together the key elements of your Information Technology environment. Without the availability of full system backups, this calls for a broad complement of IT skills, well-coordinated project management, and the ability to work 24x7 until the recovery project is done.

For twenty years, Progent has provided certified expert IT services for businesses across the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes engineers who have attained top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have earned internationally-renowned certifications including CISM, CISSP, ISACA CRISC, SANS GIAC, and CMMC 2.0. (Visit Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience gives Progent the capability to knowledgably understand critical systems and integrate the remaining parts of your network system after a crypto-ransomware attack and rebuild them into an operational network.

Progent's ransomware team uses best of breed project management systems to orchestrate the sophisticated recovery process. Progent knows the urgency of working rapidly and in concert with a client's management and IT team members to assign priority to tasks and to put the most important systems back on-line as fast as possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Recovery
A business escalated to Progent after their company was crashed by the Ryuk ransomware. Ryuk is believed to have been developed by North Korean government sponsored cybercriminals, possibly using algorithms exposed from the U.S. NSA organization. Ryuk goes after specific organizations with little or no ability to sustain operational disruption and is one of the most profitable incarnations of crypto-ransomware. Major organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturer located in Chicago with about 500 staff members. The Ryuk intrusion had brought down all essential operations and manufacturing processes. The majority of the client's data protection had been online at the start of the intrusion and were encrypted. The client was evaluating paying the ransom demand (in excess of $200K) and hoping for the best, but in the end made the decision to use Progent.


"I cannot say enough in regards to the support Progent gave us during the most stressful period of (our) company's survival. We would have paid the hackers behind this attack if not for the confidence the Progent experts gave us. That you were able to get our e-mail and essential applications back into operation quicker than seven days was amazing. Each staff member I got help from or e-mailed at Progent was totally committed on getting us operational and was working 24/7 to bail us out."

Progent worked with the client to rapidly understand and prioritize the essential elements that needed to be recovered in order to restart company operations:

  • Microsoft Active Directory
  • Electronic Messaging
  • MRP System
To begin, Progent adhered to AV/Malware Processes event response best practices by isolating and removing active viruses. Progent then began the task of rebuilding Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not operate without Active Directory, and the customer's financials and MRP system utilized Microsoft SQL Server, which requires Windows AD for security authorization to the information.

In less than 2 days, Progent was able to recover Active Directory services to its pre-attack state. Progent then helped perform reinstallations and storage recovery of the most important applications. All Exchange Server ties and attributes were usable, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Folder Files) on team workstations to recover mail messages. A recent offline backup of the customer's accounting/ERP systems made them able to restore these essential applications back on-line. Although a large amount of work needed to be completed to recover fully from the Ryuk damage, the most important systems were restored quickly:


"For the most part, the production line operation never missed a beat and we produced all customer orders."

Throughout the next couple of weeks critical milestones in the restoration process were made in tight cooperation between Progent team members and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Exchange Server exceeding 4 million archived messages was spun up and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory functions were 100% restored.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Nearly all of the user desktops were being used by staff.

"A lot of what happened that first week is nearly entirely a blur for me, but my management will not soon forget the urgency each of the team accomplished to help get our business back. I've been working with Progent for the past 10 years, maybe more, and each time Progent has come through and delivered. This situation was a stunning achievement."

Conclusion
A potential company-ending disaster was avoided due to results-oriented experts, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware incident described here could have been shut down with current security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, team education, and well designed security procedures for data protection and proper patching controls, the fact remains that state-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and represent an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), I'm grateful for making it so I could get some sleep after we made it past the initial fire. Everyone did an fabulous job, and if any of your team is around the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in St. Paul a variety of online monitoring and security assessment services designed to help you to reduce the threat from crypto-ransomware. These services include modern AI technology to detect zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily get by traditional signature-matching AV tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to manage the complete malware attack lifecycle including blocking, identification, containment, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, device management, and web filtering through cutting-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization consultants can help your business to design and implement a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent's consultants can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore software companies to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and enable non-disruptive backup and fast restoration of critical files, apps, images, plus VMs. ProSight DPS lets you recover from data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, human mistakes, malicious insiders, or software bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security companies to provide web-based management and world-class protection for your email traffic. The powerful structure of Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. Email Guard's Cloud Protection Layer serves as a first line of defense and blocks most threats from reaching your network firewall. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of inspection for inbound email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also help Exchange Server to monitor and safeguard internal email that stays inside your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for small and mid-sized businesses to map, track, reconfigure and troubleshoot their connectivity hardware such as routers and switches, firewalls, and access points plus servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network maps are always updated, captures and displays the configuration of almost all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating complex management and troubleshooting processes, WAN Watch can cut hours off ordinary tasks like making network diagrams, expanding your network, finding devices that require important software patches, or identifying the cause of performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your IT system operating efficiently by checking the health of critical computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your designated IT staff and your assigned Progent consultant so any looming problems can be resolved before they have a chance to disrupt productivity. Find out more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the apps. Since the system is virtualized, it can be ported immediately to a different hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By updating and managing your network documentation, you can eliminate up to half of time thrown away searching for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT information. Whether you're planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need when you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) managed service that incorporates next generation behavior machine learning technology to defend endpoints as well as physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and provides a single platform to automate the entire threat progression including protection, detection, containment, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against new attacks. Learn more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Call Center: Support Desk Managed Services
    Progent's Call Center managed services enable your information technology group to outsource Support Desk services to Progent or divide responsibilities for support services transparently between your internal network support staff and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth supplement to your corporate support group. Client access to the Help Desk, provision of support services, issue escalation, ticket generation and tracking, performance measurement, and maintenance of the support database are consistent regardless of whether incidents are taken care of by your in-house IT support resources, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the security and reliability of your IT network, Progent's patch management services allow your IT team to focus on more strategic initiatives and activities that derive maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports one-tap identity confirmation on Apple iOS, Google Android, and other personal devices. Using 2FA, when you sign into a protected application and enter your password you are asked to verify who you are via a device that only you have and that is accessed using a separate network channel. A broad selection of devices can be utilized as this added form of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may register several validation devices. For more information about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of in-depth management reporting plug-ins designed to integrate with the leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24/7 St. Paul Crypto Recovery Services, contact Progent at 800-462-8800 or go to Contact Progent.