Ransomware : Your Worst IT Disaster
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that presents an existential threat for businesses vulnerable to an attack. Different iterations of ransomware like the Reveton, CryptoWall, Locky, NotPetya and MongoLock cryptoworms have been circulating for years and still inflict harm. Newer strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, as well as more as yet unnamed malware, not only encrypt online information but also infect all accessible system protection mechanisms. Data replicated to the cloud can also be encrypted. In a vulnerable system, this can render automated restore operations hopeless and basically knocks the datacenter back to zero.

Getting back on-line programs and information following a ransomware outage becomes a race against the clock as the targeted organization fights to contain and cleanup the ransomware and to resume business-critical activity. Because crypto-ransomware requires time to spread, assaults are usually launched during weekends and nights, when successful penetrations are likely to take more time to uncover. This multiplies the difficulty of promptly marshalling and coordinating a capable mitigation team.

Progent offers an assortment of solutions for protecting organizations from ransomware events. These include user training to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with machine learning technology from SentinelOne to identify and suppress zero-day cyber threats automatically. Progent also can provide the assistance of expert ransomware recovery consultants with the skills and perseverance to re-deploy a breached network as urgently as possible.

Progent's Crypto-Ransomware Restoration Support Services
After a crypto-ransomware penetration, sending the ransom in cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their files after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to setup from scratch the mission-critical parts of your IT environment. Without access to complete information backups, this requires a wide complement of skills, well-coordinated project management, and the ability to work continuously until the recovery project is completed.

For decades, Progent has offered certified expert Information Technology services for businesses in Colorado Springs and throughout the United States and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained high-level industry certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security consultants have garnered internationally-recognized industry certifications including CISA, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial management and ERP applications. This breadth of experience affords Progent the capability to quickly determine necessary systems and organize the surviving components of your Information Technology environment following a ransomware attack and rebuild them into a functioning system.

Progent's recovery team of experts has state-of-the-art project management tools to coordinate the complicated restoration process. Progent understands the importance of acting quickly and together with a customer's management and Information Technology team members to assign priority to tasks and to get critical systems back on-line as soon as possible.

Case Study: A Successful Ransomware Intrusion Response
A small business sought out Progent after their organization was brought down by the Ryuk crypto-ransomware. Ryuk is generally considered to have been developed by North Korean government sponsored criminal gangs, possibly adopting strategies exposed from the U.S. National Security Agency. Ryuk seeks specific businesses with little or no ability to sustain disruption and is one of the most lucrative versions of ransomware malware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with about 500 staff members. The Ryuk penetration had shut down all essential operations and manufacturing capabilities. The majority of the client's backups had been online at the time of the attack and were damaged. The client was evaluating paying the ransom (in excess of $200,000) and hoping for the best, but ultimately reached out to Progent.


"I can't tell you enough in regards to the expertise Progent gave us throughout the most critical time of (our) company's existence. We may have had to pay the cybercriminals if it wasn't for the confidence the Progent team provided us. The fact that you were able to get our e-mail system and important servers back into operation sooner than one week was incredible. Each staff member I spoke to or messaged at Progent was amazingly focused on getting us back online and was working non-stop on our behalf."

Progent worked together with the customer to rapidly get our arms around and prioritize the essential systems that needed to be recovered in order to resume company operations:

  • Active Directory (AD)
  • E-Mail
  • Accounting/MRP
To begin, Progent followed AV/Malware Processes incident mitigation best practices by isolating and performing virus removal steps. Progent then started the work of restoring Active Directory, the core of enterprise systems built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without AD, and the client's accounting and MRP applications used Microsoft SQL Server, which requires Active Directory services for security authorization to the information.

Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then performed setup and hard drive recovery of the most important applications. All Exchange schema and attributes were usable, which facilitated the rebuild of Exchange. Progent was able to locate intact OST files (Outlook Email Off-Line Folder Files) on team PCs and laptops to recover email data. A not too old offline backup of the businesses financials/ERP software made it possible to restore these essential programs back available to users. Although a large amount of work was left to recover completely from the Ryuk damage, essential systems were restored quickly:


"For the most part, the production operation was never shut down and we delivered all customer shipments."

Throughout the following couple of weeks important milestones in the recovery process were made through close cooperation between Progent team members and the client:

  • Internal web sites were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server with over four million historical messages was spun up and available for users.
  • CRM/Orders/Invoices/AP/AR/Inventory Control modules were 100 percent restored.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Ninety percent of the user workstations were functioning as before the incident.

"A lot of what occurred during the initial response is mostly a blur for me, but I will not soon forget the urgency each of you put in to give us our business back. I have been working with Progent for the past ten years, possibly more, and every time I needed help Progent has impressed me and delivered. This event was a testament to your capabilities."

Conclusion
A probable company-ending disaster was dodged through the efforts of hard-working professionals, a wide range of subject matter expertise, and close teamwork. Although in hindsight the ransomware virus attack detailed here would have been identified and stopped with up-to-date cyber security technology and NIST Cybersecurity Framework best practices, user education, and well designed security procedures for information protection and proper patching controls, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware incident, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), I'm grateful for letting me get some sleep after we made it through the first week. Everyone did an impressive effort, and if anyone is around the Chicago area, dinner is on me!"

To review or download a PDF version of this case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Colorado Springs a variety of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize modern machine learning technology to detect zero-day variants of ransomware that can escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis technology to defend physical and virtual endpoints against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based AV tools. ProSight ASM safeguards on-premises and cloud-based resources and provides a unified platform to manage the entire threat progression including blocking, identification, mitigation, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device control, and web filtering through cutting-edge technologies incorporated within a single agent managed from a unified console. Progent's data protection and virtualization experts can help your business to design and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent attention. Progent can also assist you to install and verify a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology companies to produce ProSight Data Protection Services, a family of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services manage and monitor your backup processes and enable transparent backup and rapid recovery of critical files, applications, images, and virtual machines. ProSight DPS helps you recover from data loss caused by equipment failures, natural calamities, fire, cyber attacks such as ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of top information security companies to deliver web-based control and comprehensive security for all your email traffic. The hybrid structure of Progent's Email Guard combines cloud-based filtering with an on-premises gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne malware. The cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your vulnerability to external attacks and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a further layer of analysis for inbound email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map out, monitor, reconfigure and troubleshoot their connectivity appliances like routers and switches, firewalls, and load balancers plus servers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are always updated, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when issues are discovered. By automating tedious network management activities, WAN Watch can knock hours off common chores like making network diagrams, reconfiguring your network, locating devices that require important software patches, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the state of critical assets that power your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT staff and your Progent engineering consultant so that any looming issues can be addressed before they can impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting model, the customer owns the data, the operating system software, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect information related to your network infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to half of time spent searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're making enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to guard endpoint devices as well as servers and VMs against modern malware assaults such as ransomware and file-less exploits, which routinely get by legacy signature-matching anti-virus tools. Progent ASM services protect on-premises and cloud-based resources and provides a unified platform to address the complete threat lifecycle including filtering, detection, mitigation, cleanup, and forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Learn more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Help Desk: Support Desk Managed Services
    Progent's Call Desk managed services enable your IT staff to outsource Support Desk services to Progent or divide activity for Help Desk services seamlessly between your in-house network support group and Progent's extensive roster of IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a smooth supplement to your internal network support group. Client interaction with the Service Desk, delivery of support, problem escalation, trouble ticket generation and tracking, efficiency metrics, and maintenance of the service database are cohesive whether incidents are taken care of by your internal IT support organization, by Progent, or both. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide businesses of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the security and reliability of your IT network, Progent's software/firmware update management services allow your IT team to focus on line-of-business projects and activities that deliver maximum business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA managed services utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity verification with iOS, Google Android, and other personal devices. Using 2FA, when you log into a protected application and give your password you are requested to verify who you are on a device that only you have and that uses a different network channel. A wide range of devices can be used for this second means of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register several validation devices. For more information about ProSight Duo identity authentication services, see Cisco Duo MFA two-factor authentication services.
For 24x7x365 Colorado Springs Crypto Repair Services, contact Progent at 800-462-8800 or go to Contact Progent.