Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ExpertsCrypto-Ransomware has become an escalating cyberplague that presents an existential danger for organizations poorly prepared for an assault. Different iterations of crypto-ransomware such as CryptoLocker, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for many years and continue to cause havoc. The latest variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, along with additional as yet unnamed malware, not only encrypt on-line files but also infect all accessible system restores and backups. Information synched to off-site disaster recovery sites can also be rendered useless. In a poorly architected data protection solution, this can render automatic restoration useless and basically knocks the network back to square one.

Getting back applications and data following a ransomware event becomes a sprint against time as the targeted organization struggles to contain the damage and clear the virus and to restore business-critical operations. Since ransomware requires time to move laterally, assaults are frequently launched on weekends and holidays, when successful penetrations are likely to take more time to recognize. This compounds the difficulty of rapidly mobilizing and coordinating a knowledgeable mitigation team.

Progent provides an assortment of solutions for protecting businesses from crypto-ransomware attacks. These include team education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security solutions with AI capabilities from SentinelOne to detect and suppress day-zero threats intelligently. Progent in addition offers the assistance of veteran crypto-ransomware recovery consultants with the talent and perseverance to reconstruct a breached network as rapidly as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, even paying the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the keys to decipher all your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their data even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The other path is to re-install the essential parts of your IT environment. Without access to essential information backups, this calls for a broad complement of skills, well-coordinated team management, and the willingness to work non-stop until the job is completed.

For twenty years, Progent has provided expert IT services for businesses in St. Paul and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have been awarded advanced certifications in leading technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity experts have earned internationally-recognized industry certifications including CISA, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial management and ERP applications. This breadth of experience affords Progent the ability to knowledgably understand necessary systems and integrate the remaining components of your network environment after a crypto-ransomware attack and configure them into a functioning network.

Progent's ransomware team of experts has powerful project management tools to coordinate the complex restoration process. Progent understands the urgency of acting quickly and together with a client's management and Information Technology team members to assign priority to tasks and to get the most important systems back online as fast as possible.

Client Case Study: A Successful Ransomware Incident Recovery
A customer engaged Progent after their network system was attacked by Ryuk crypto-ransomware. Ryuk is thought to have been created by Northern Korean government sponsored hackers, suspected of adopting techniques exposed from America's National Security Agency. Ryuk attacks specific organizations with limited room for operational disruption and is among the most profitable iterations of ransomware. Well Known targets include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had brought down all business operations and manufacturing processes. Most of the client's system backups had been online at the time of the attack and were damaged. The client was evaluating paying the ransom demand (exceeding two hundred thousand dollars) and hoping for good luck, but in the end engaged Progent.


"I can't say enough in regards to the help Progent gave us throughout the most fearful period of (our) company's survival. We would have paid the cyber criminals behind the attack if not for the confidence the Progent group provided us. That you were able to get our messaging and production applications back faster than 1 week was beyond my wildest dreams. Each person I worked with or e-mailed at Progent was totally committed on getting our company operational and was working all day and night on our behalf."

Progent worked hand in hand the customer to rapidly identify and assign priority to the critical applications that needed to be addressed to make it possible to resume business functions:

  • Windows Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent followed ransomware penetration mitigation industry best practices by halting the spread and cleaning systems of viruses. Progent then began the work of restoring Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange Server messaging will not work without AD, and the businesses' financials and MRP applications leveraged Microsoft SQL Server, which requires Active Directory for authentication to the information.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then performed setup and storage recovery of the most important servers. All Exchange Server schema and configuration information were usable, which facilitated the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Email Offline Folder Files) on various workstations and laptops to recover email data. A recent offline backup of the businesses financials/ERP software made them able to return these essential programs back online for users. Although significant work still had to be done to recover totally from the Ryuk event, essential services were recovered quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we made all customer sales."

Over the next month key milestones in the recovery process were completed through close cooperation between Progent engineers and the customer:

  • In-house web applications were restored without losing any information.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/AP/Accounts Receivables/Inventory Control functions were 100% recovered.
  • A new Palo Alto Networks 850 security appliance was brought on-line.
  • Most of the user PCs were back into operation.

"A lot of what transpired in the early hours is mostly a haze for me, but my management will not forget the urgency all of the team put in to help get our business back. I've trusted Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered. This time was a Herculean accomplishment."

Conclusion
A probable company-ending catastrophe was dodged with results-oriented experts, a wide array of technical expertise, and close collaboration. Although in post mortem the crypto-ransomware virus attack detailed here would have been shut down with current cyber security technology solutions and security best practices, staff education, and properly executed incident response procedures for data backup and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a crypto-ransomware incident, remember that Progent's team of experts has extensive experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others who were helping), thank you for letting me get some sleep after we got past the most critical parts. Everyone did an amazing effort, and if any of your team is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in St. Paul a portfolio of online monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services utilize next-generation AI capability to uncover new strains of ransomware that can escape detection by legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior machine learning tools to guard physical and virtual endpoint devices against new malware attacks such as ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus products. ProSight ASM safeguards local and cloud-based resources and offers a single platform to address the entire malware attack progression including protection, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and VMs, desktops, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, device control, and web filtering via leading-edge tools packaged within one agent accessible from a single control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's specific needs and that helps you prove compliance with legal and industry information security regulations. Progent will assist you specify and configure policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alarms that call for immediate attention. Progent's consultants can also assist your company to set up and test a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup software providers to produce ProSight Data Protection Services (DPS), a family of offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and allow non-disruptive backup and rapid recovery of critical files, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss caused by equipment breakdown, natural calamities, fire, malware such as ransomware, human error, ill-intentioned insiders, or application bugs. Managed services available in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top data security vendors to provide centralized control and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a first line of defense and keeps the vast majority of unwanted email from reaching your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's on-premises security gateway appliance provides a further layer of analysis for inbound email. For outbound email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and inexpensive for smaller businesses to diagram, monitor, reconfigure and debug their networking appliances like routers, firewalls, and access points as well as servers, printers, endpoints and other devices. Incorporating cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology maps are always updated, captures and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding appliances that need important software patches, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management techniques to help keep your IT system running efficiently by checking the state of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is sent immediately to your specified IT management personnel and your Progent engineering consultant so that all potential issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and applications hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system platforms, and the applications. Since the system is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, maintain, find and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or IP addresses and be warned about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT documentation, you can save up to 50% of time thrown away looking for critical information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you require the instant you need it. Read more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection service that incorporates cutting edge behavior-based machine learning technology to defend endpoints as well as servers and VMs against modern malware assaults such as ransomware and file-less exploits, which easily escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard local and cloud-based resources and provides a unified platform to automate the entire malware attack progression including filtering, identification, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows VSS and real-time system-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Support Center managed services permit your IT staff to offload Call Center services to Progent or split activity for support services seamlessly between your internal support resources and Progent's nationwide roster of IT support engineers and subject matter experts (SMEs). Progent's Co-managed Service Desk provides a smooth extension of your core IT support team. End user access to the Service Desk, provision of support, problem escalation, ticket generation and tracking, performance measurement, and management of the support database are cohesive whether incidents are taken care of by your core support group, by Progent's team, or by a combination. Read more about Progent's outsourced/shared Service Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a flexible and cost-effective solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and reliability of your IT environment, Progent's software/firmware update management services free up time for your IT team to focus on more strategic initiatives and tasks that deliver the highest business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Google Android, and other personal devices. With Duo 2FA, whenever you log into a protected application and give your password you are asked to confirm your identity on a device that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized as this second means of authentication such as an iPhone or Android or watch, a hardware token, a landline telephone, etc. You can register several validation devices. For more information about ProSight Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of in-depth reporting utilities created to work with the industry's leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-through or machines with missing patches. By exposing ticketing or network health problems clearly and in near-real time, ProSight Reporting improves network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For St. Paul 24-Hour CryptoLocker Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.