Ransomware : Your Worst Information Technology Disaster
Crypto-Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that poses an enterprise-level threat for businesses poorly prepared for an assault. Different versions of crypto-ransomware such as CrySIS, Fusob, Locky, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause havoc. Modern strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, along with frequent unnamed viruses, not only do encryption of on-line information but also infiltrate any configured system backups. Data synched to cloud environments can also be rendered useless. In a vulnerable system, this can render automatic recovery impossible and basically sets the entire system back to zero.

Recovering services and information after a crypto-ransomware outage becomes a sprint against time as the victim struggles to stop lateral movement and clear the ransomware and to resume business-critical activity. Because ransomware takes time to spread, penetrations are usually launched at night, when successful penetrations may take longer to detect. This multiplies the difficulty of promptly mobilizing and organizing an experienced response team.

Progent has a range of solutions for protecting businesses from ransomware penetrations. Among these are team education to become familiar with and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of next-generation security gateways with AI technology from SentinelOne to detect and disable new cyber threats rapidly. Progent in addition provides the assistance of expert ransomware recovery engineers with the skills and perseverance to re-deploy a compromised network as quickly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware attack, even paying the ransom demands in cryptocurrency does not guarantee that cyber criminals will provide the needed codes to decipher any of your information. Kaspersky Labs determined that seventeen percent of ransomware victims never restored their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the essential parts of your IT environment. Absent access to essential data backups, this calls for a wide range of IT skills, top notch project management, and the ability to work non-stop until the job is done.

For two decades, Progent has made available expert IT services for companies in St. Paul and throughout the United States and has earned Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced certifications in key technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security experts have earned internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience with financial management and ERP application software. This breadth of expertise gives Progent the ability to rapidly determine necessary systems and consolidate the surviving pieces of your IT system following a crypto-ransomware event and configure them into a functioning network.

Progent's recovery team of experts uses top notch project management applications to coordinate the complicated recovery process. Progent understands the urgency of working swiftly and in unison with a client's management and Information Technology team members to assign priority to tasks and to get the most important services back on line as soon as humanly possible.

Business Case Study: A Successful Ransomware Attack Response
A business engaged Progent after their organization was taken over by the Ryuk ransomware. Ryuk is thought to have been deployed by Northern Korean state sponsored cybercriminals, possibly using strategies leaked from America�s NSA organization. Ryuk seeks specific businesses with limited room for operational disruption and is one of the most lucrative examples of ransomware malware. Well Known victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in the Chicago metro area with about 500 staff members. The Ryuk event had shut down all company operations and manufacturing capabilities. Most of the client's data backups had been directly accessible at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end made the decision to use Progent.


"I cannot tell you enough in regards to the support Progent provided us throughout the most fearful time of (our) businesses survival. We most likely would have paid the cybercriminals if it wasn�t for the confidence the Progent team gave us. That you were able to get our e-mail and key servers back online quicker than five days was something I thought impossible. Every single consultant I spoke to or texted at Progent was hell bent on getting us restored and was working at all hours on our behalf."

Progent worked with the customer to rapidly assess and prioritize the essential elements that had to be restored in order to resume departmental operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Financials/MRP
To get going, Progent followed Anti-virus penetration mitigation industry best practices by isolating and cleaning up infected systems. Progent then initiated the task of restoring Microsoft Active Directory, the key technology of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the businesses� MRP applications used Microsoft SQL, which requires Active Directory services for authentication to the databases.

In less than two days, Progent was able to re-build Windows Active Directory to its pre-virus state. Progent then initiated reinstallations and storage recovery on key systems. All Exchange data and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to collect intact OST data files (Outlook Offline Folder Files) on user workstations and laptops in order to recover mail messages. A not too old offline backup of the businesses accounting software made them able to return these vital applications back online. Although significant work still had to be done to recover totally from the Ryuk event, the most important services were restored quickly:


"For the most part, the manufacturing operation never missed a beat and we produced all customer sales."

Over the following couple of weeks critical milestones in the recovery process were achieved through tight cooperation between Progent consultants and the client:

  • Internal web applications were restored with no loss of data.
  • The MailStore Exchange Server with over 4 million historical messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory modules were fully operational.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the desktop computers were back into operation.

"A lot of what transpired that first week is mostly a fog for me, but our team will not soon forget the care each of your team put in to give us our business back. I�ve entrusted Progent for the past ten years, possibly more, and every time Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A possible business disaster was evaded by results-oriented experts, a wide array of IT skills, and close teamwork. Although in post mortem the crypto-ransomware virus attack detailed here should have been blocked with up-to-date cyber security technology and ISO/IEC 27001 best practices, team training, and appropriate security procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware virus, feel confident that Progent's roster of experts has a proven track record in ransomware virus blocking, removal, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were involved), I�m grateful for allowing me to get rested after we made it over the most critical parts. All of you did an fabulous job, and if any of your guys is around the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in St. Paul a range of online monitoring and security evaluation services to help you to minimize your vulnerability to ransomware. These services utilize next-generation machine learning capability to detect new strains of ransomware that are able to escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior machine learning technology to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based AV tools. ProSight Active Security Monitoring safeguards on-premises and cloud-based resources and offers a single platform to automate the complete malware attack progression including blocking, detection, containment, cleanup, and forensics. Key capabilities include single-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to security threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alerts, device control, and web filtering via leading-edge technologies packaged within one agent managed from a single console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP deployment that meets your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for urgent action. Progent's consultants can also assist your company to install and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business quickly from a destructive cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup processes and allow transparent backup and fast recovery of vital files, applications, images, plus virtual machines. ProSight DPS helps you protect against data loss caused by equipment failures, natural disasters, fire, malware such as ransomware, user mistakes, malicious insiders, or application glitches. Managed services available in the ProSight DPS product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda dedicated storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading data security vendors to provide centralized management and comprehensive protection for your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-borne malware. Email Guard's cloud filter acts as a first line of defense and keeps most unwanted email from reaching your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the onsite security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also help Exchange Server to track and protect internal email that stays inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, monitor, enhance and debug their networking hardware such as routers and switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always current, copies and manages the configuration information of virtually all devices on your network, monitors performance, and generates notices when potential issues are discovered. By automating time-consuming network management processes, WAN Watch can knock hours off common chores such as network mapping, expanding your network, finding appliances that require critical software patches, or resolving performance issues. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) technology to keep your network running at peak levels by checking the health of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alert is transmitted automatically to your specified IT staff and your assigned Progent consultant so that all looming problems can be resolved before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a secure fault tolerant data center on a high-performance virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported immediately to an alternate hardware environment without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect data related to your IT infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be warned about impending expirations of SSLs or warranties. By updating and managing your IT infrastructure documentation, you can save as much as half of time wasted searching for vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youre planning enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior machine learning tools to defend endpoint devices as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to manage the complete threat progression including filtering, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Help Desk services enable your information technology team to offload Support Desk services to Progent or divide activity for Service Desk support seamlessly between your internal network support resources and Progent's extensive pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth extension of your corporate support organization. User interaction with the Service Desk, provision of support, issue escalation, trouble ticket generation and updates, efficiency metrics, and maintenance of the support database are consistent whether issues are resolved by your internal IT support resources, by Progent's team, or by a combination. Find out more about Progent's outsourced/shared Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management offer businesses of any size a versatile and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic IT system. Besides maximizing the protection and functionality of your computer environment, Progent's software/firmware update management services permit your IT team to focus on more strategic initiatives and activities that derive maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against compromised passwords through the use of two-factor authentication. Duo enables single-tap identity verification on Apple iOS, Google Android, and other personal devices. With 2FA, when you log into a secured online account and give your password you are asked to confirm your identity via a unit that only you have and that is accessed using a different network channel. A wide range of devices can be utilized for this second means of authentication such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several verification devices. To learn more about Duo two-factor identity authentication services, go to Duo MFA two-factor authentication (2FA) services for access security.
For 24x7x365 St. Paul Ransomware Removal Services, call Progent at 800-462-8800 or go to Contact Progent.