Ransomware : Your Worst Information Technology Catastrophe
Crypto-Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that poses an extinction-level danger for businesses of all sizes vulnerable to an attack. Multiple generations of ransomware such as CrySIS, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for years and continue to cause havoc. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Nephilim, plus additional as yet unnamed newcomers, not only encrypt on-line data files but also infect any available system protection mechanisms. Data replicated to off-site disaster recovery sites can also be ransomed. In a poorly architected environment, this can make automated restoration hopeless and effectively knocks the network back to square one.

Recovering programs and data after a ransomware outage becomes a race against time as the targeted business fights to contain and remove the virus and to resume mission-critical operations. Due to the fact that ransomware needs time to replicate, penetrations are usually launched on weekends, when successful attacks typically take longer to detect. This multiplies the difficulty of rapidly marshalling and coordinating a capable response team.

Progent makes available a variety of help services for protecting organizations from ransomware attacks. These include staff education to help identify and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security appliances with machine learning technology from SentinelOne to identify and disable new cyber attacks quickly. Progent also offers the assistance of veteran crypto-ransomware recovery professionals with the skills and perseverance to reconstruct a breached environment as quickly as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will provide the codes to decrypt any of your files. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their information even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET determined to be around $13,000. The other path is to piece back together the key parts of your IT environment. Without access to full information backups, this requires a broad complement of skills, professional team management, and the willingness to work non-stop until the recovery project is over.

For twenty years, Progent has offered expert Information Technology services for businesses in Colorado Springs and throughout the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded high-level certifications in leading technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity experts have garnered internationally-recognized certifications including CISA, CISSP, CRISC, and SANS GIAC. (See Progent's certifications). Progent also has experience with financial management and ERP application software. This breadth of experience affords Progent the ability to rapidly understand critical systems and consolidate the surviving components of your IT system after a crypto-ransomware penetration and rebuild them into a functioning system.

Progent's security team utilizes best of breed project management applications to orchestrate the complicated restoration process. Progent understands the urgency of working quickly and in concert with a client's management and IT staff to prioritize tasks and to put the most important applications back on-line as soon as possible.

Case Study: A Successful Ransomware Attack Restoration
A client sought out Progent after their network was brought down by Ryuk crypto-ransomware. Ryuk is thought to have been developed by North Korean state sponsored hackers, possibly using techniques leaked from the United States National Security Agency. Ryuk targets specific businesses with limited ability to sustain disruption and is one of the most profitable incarnations of ransomware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago with about 500 employees. The Ryuk event had paralyzed all essential operations and manufacturing processes. Most of the client's backups had been directly accessible at the start of the intrusion and were encrypted. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and hoping for the best, but in the end utilized Progent.


"I can't thank you enough about the help Progent provided us throughout the most critical time of (our) company's existence. We may have had to pay the cyber criminals behind the attack except for the confidence the Progent group afforded us. The fact that you could get our e-mail system and important servers back on-line in less than a week was amazing. Each person I spoke to or e-mailed at Progent was hell bent on getting us back on-line and was working 24/7 on our behalf."

Progent worked hand in hand the client to rapidly understand and assign priority to the essential applications that needed to be restored in order to continue departmental functions:

  • Windows Active Directory
  • E-Mail
  • Financials/MRP
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by halting the spread and cleaning up infected systems. Progent then initiated the work of restoring Microsoft Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange email will not function without AD, and the client's MRP system used SQL Server, which needs Active Directory services for security authorization to the data.

In less than 48 hours, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then accomplished setup and hard drive recovery on the most important applications. All Exchange Server ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to locate local OST files (Microsoft Outlook Offline Data Files) on various PCs and laptops to recover mail data. A not too old offline backup of the businesses accounting/ERP software made them able to return these essential services back servicing users. Although major work remained to recover fully from the Ryuk virus, essential systems were recovered quickly:


"For the most part, the production operation was never shut down and we did not miss any customer orders."

Over the next few weeks important milestones in the restoration project were made through close cooperation between Progent engineers and the client:

  • Self-hosted web sites were restored without losing any information.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory capabilities were completely restored.
  • A new Palo Alto 850 security appliance was set up.
  • 90% of the user workstations were back into operation.

"A huge amount of what went on in the initial days is nearly entirely a haze for me, but I will not soon forget the urgency all of you put in to help get our company back. I have trusted Progent for at least 10 years, maybe more, and every time I needed help Progent has come through and delivered. This time was a stunning achievement."

Conclusion
A probable business extinction disaster was averted with results-oriented experts, a wide range of technical expertise, and close teamwork. Although upon completion of forensics the ransomware virus incident detailed here should have been shut down with modern security solutions and ISO/IEC 27001 best practices, team education, and well designed security procedures for data protection and applying software patches, the reality is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware incident, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, remediation, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others who were contributing), I'm grateful for making it so I could get some sleep after we got past the initial push. Everyone did an impressive job, and if anyone that helped is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Colorado Springs a variety of remote monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include modern machine learning capability to detect new strains of crypto-ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior analysis tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily get by traditional signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the complete threat lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Key capabilities include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    Progent's ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for continuously monitoring and reacting to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device control, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist you to plan and configure a ProSight ESP environment that meets your organization's unique needs and that allows you demonstrate compliance with government and industry data security standards. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and react to alerts that require immediate action. Progent's consultants can also help your company to install and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services, a family of subscription-based management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services manage and monitor your backup operations and allow transparent backup and fast restoration of vital files, apps, images, plus virtual machines. ProSight DPS helps you recover from data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned insiders, or application glitches. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of leading information security companies to provide centralized management and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard combines a Cloud Protection Layer with a local gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises gateway appliance provides a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and protect internal email that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure management service that makes it simple and inexpensive for smaller organizations to diagram, track, enhance and debug their connectivity hardware such as routers, firewalls, and load balancers as well as servers, endpoints and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that network maps are kept current, captures and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when potential issues are discovered. By automating complex management and troubleshooting processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating appliances that need important software patches, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management techniques to keep your network running at peak levels by tracking the health of critical assets that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is sent immediately to your specified IT management personnel and your assigned Progent engineering consultant so that all looming problems can be resolved before they have a chance to impact productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and applications hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support experts. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS platforms, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect information related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and managing your network documentation, you can eliminate as much as 50% of time thrown away searching for critical information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your business network such as standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers advanced automation for gathering and relating IT data. Whether you're making enhancements, performing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior machine learning technology to defend endpoint devices as well as physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily get by legacy signature-matching AV products. Progent ASM services safeguard on-premises and cloud resources and offers a unified platform to manage the entire threat progression including filtering, identification, mitigation, cleanup, and forensics. Top features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Learn more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Desk: Help Desk Managed Services
    Progent's Help Desk services enable your information technology group to outsource Help Desk services to Progent or split activity for Service Desk support seamlessly between your in-house support resources and Progent's nationwide roster of certified IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless supplement to your core support group. Client interaction with the Help Desk, provision of support services, problem escalation, ticket generation and updates, performance measurement, and maintenance of the support database are consistent whether incidents are resolved by your internal IT support resources, by Progent, or both. Find out more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and affordable alternative for assessing, testing, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to maximizing the security and reliability of your IT network, Progent's patch management services allow your in-house IT team to focus on more strategic projects and activities that derive the highest business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity confirmation on iOS, Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and give your password you are requested to confirm your identity on a unit that only you possess and that uses a different network channel. A broad range of out-of-band devices can be utilized as this second means of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may register several validation devices. To find out more about Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time and in-depth management reporting plug-ins designed to integrate with the leading ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to highlight and contextualize critical issues such as spotty support follow-through or endpoints with missing patches. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Colorado Springs 24-7 Ransomware Remediation Consultants, contact Progent at 800-462-8800 or go to Contact Progent.