Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Remediation ExpertsCrypto-Ransomware has become a too-frequent cyber pandemic that presents an extinction-level threat for organizations unprepared for an assault. Versions of ransomware such as CryptoLocker, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. The latest versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with frequent unnamed malware, not only encrypt online data files but also infect any configured system restores and backups. Information replicated to cloud environments can also be rendered useless. In a poorly designed system, this can make automatic restore operations useless and basically knocks the datacenter back to square one.

Getting back applications and information following a ransomware event becomes a race against the clock as the targeted organization struggles to stop the spread and eradicate the ransomware and to resume business-critical activity. Since ransomware takes time to spread, penetrations are usually sprung on weekends and holidays, when attacks are likely to take more time to uncover. This compounds the difficulty of rapidly marshalling and organizing an experienced response team.

Progent offers a range of solutions for protecting enterprises from crypto-ransomware attacks. These include team member training to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with setup and configuration of next-generation security gateways with machine learning capabilities from SentinelOne to detect and quarantine day-zero threats intelligently. Progent also offers the assistance of veteran ransomware recovery consultants with the skills and perseverance to reconstruct a compromised environment as urgently as possible.

Progent's Ransomware Recovery Help
Soon after a ransomware attack, paying the ransom in cryptocurrency does not ensure that distant criminals will provide the needed codes to decrypt all your information. Kaspersky Labs determined that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET averages to be approximately $13,000. The alternative is to re-install the mission-critical components of your IT environment. Absent the availability of complete information backups, this calls for a broad range of IT skills, top notch project management, and the capability to work 24x7 until the task is over.

For two decades, Progent has provided certified expert Information Technology services for companies in Jersey City and throughout the United States and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have been awarded advanced certifications in foundation technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has expertise in financial management and ERP application software. This breadth of experience provides Progent the ability to efficiently identify critical systems and integrate the remaining parts of your network environment after a ransomware attack and assemble them into an operational network.

Progent's ransomware team of experts uses best of breed project management tools to coordinate the sophisticated restoration process. Progent understands the importance of working rapidly and in unison with a customer's management and IT resources to assign priority to tasks and to get critical systems back on line as soon as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Virus Response
A customer sought out Progent after their organization was attacked by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, possibly adopting approaches exposed from America's NSA organization. Ryuk attacks specific companies with little ability to sustain disruption and is one of the most lucrative versions of crypto-ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturer based in Chicago with around 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. Most of the client's data backups had been online at the start of the attack and were eventually encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I cannot say enough in regards to the help Progent provided us throughout the most stressful period of (our) businesses life. We may have had to pay the criminal gangs except for the confidence the Progent team gave us. That you could get our messaging and production servers back in less than 1 week was earth shattering. Every single expert I worked with or e-mailed at Progent was hell bent on getting us restored and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly assess and prioritize the mission critical systems that needed to be restored in order to continue company operations:

  • Active Directory (AD)
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To start, Progent followed ransomware incident response best practices by halting lateral movement and clearing infected systems. Progent then began the steps of bringing back online Windows Active Directory, the foundation of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not work without Active Directory, and the customer's accounting and MRP software used SQL Server, which depends on Windows AD for access to the database.

In less than two days, Progent was able to recover Windows Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery on critical applications. All Exchange schema and configuration information were intact, which accelerated the restore of Exchange. Progent was also able to find local OST data files (Outlook Off-Line Folder Files) on various PCs in order to recover mail information. A recent offline backup of the businesses manufacturing software made them able to recover these essential programs back available to users. Although a lot of work needed to be completed to recover completely from the Ryuk damage, core services were restored rapidly:


"For the most part, the manufacturing operation was never shut down and we produced all customer orders."

Over the next month key milestones in the recovery project were made in tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Server exceeding 4 million archived messages was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/Accounts Receivables (AR)/Inventory capabilities were 100% restored.
  • A new Palo Alto 850 firewall was set up and programmed.
  • Nearly all of the desktop computers were being used by staff.

"Much of what transpired in the early hours is mostly a fog for me, but our team will not forget the care each of you put in to give us our company back. I have trusted Progent for at least 10 years, maybe more, and every time Progent has outperformed my expectations and delivered. This event was a life saver."

Conclusion
A potential business extinction disaster was dodged by dedicated experts, a broad range of IT skills, and close collaboration. Although in post mortem the ransomware virus attack detailed here could have been disabled with up-to-date security technology solutions and NIST Cybersecurity Framework best practices, staff education, and well thought out incident response procedures for information protection and applying software patches, the reality remains that state-sponsored hackers from Russia, China and elsewhere are tireless and are not going away. If you do get hit by a ransomware incident, remember that Progent's roster of professionals has a proven track record in ransomware virus blocking, remediation, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were contributing), thanks very much for letting me get some sleep after we got over the initial fire. Everyone did an amazing job, and if anyone that helped is visiting the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer story, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Jersey City a portfolio of online monitoring and security assessment services designed to assist you to reduce your vulnerability to crypto-ransomware. These services include modern AI technology to detect zero-day variants of ransomware that are able to evade traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior analysis tools to guard physical and virtual endpoints against new malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the complete malware attack progression including protection, detection, containment, remediation, and post-attack forensics. Key capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Find out more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) managed services offer affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to security threats from all vectors. ProSight ESP delivers two-way firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single console. Progent's data protection and virtualization experts can help you to design and configure a ProSight ESP deployment that meets your company's unique requirements and that helps you achieve and demonstrate compliance with legal and industry data security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that call for immediate action. Progent can also assist your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore technology companies to produce ProSight Data Protection Services (DPS), a portfolio of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and enable transparent backup and rapid recovery of critical files/folders, apps, system images, and virtual machines. ProSight DPS helps your business avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks such as ransomware, user error, ill-intentioned employees, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent service representative can help you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the technology of top data security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This reduces your exposure to inbound threats and saves network bandwidth and storage. Email Guard's onsite gateway device adds a further level of analysis for incoming email. For outbound email, the local gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map, monitor, enhance and debug their connectivity appliances like switches, firewalls, and access points plus servers, client computers and other devices. Incorporating state-of-the-art RMM technology, ProSight WAN Watch ensures that infrastructure topology maps are always current, captures and displays the configuration of almost all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating time-consuming management activities, WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, finding devices that require important updates, or identifying the cause of performance issues. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) technology to keep your IT system operating at peak levels by checking the state of vital assets that power your business network. When ProSight LAN Watch uncovers a problem, an alert is sent immediately to your designated IT management staff and your assigned Progent engineering consultant so that all looming issues can be addressed before they have a chance to impact your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the operating system software, and the apps. Since the system is virtualized, it can be moved easily to an alternate hardware environment without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and protect data related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save up to 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management includes a common location for holding and sharing all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require when you need it. Read more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior machine learning technology to guard endpoint devices as well as servers and VMs against modern malware assaults like ransomware and file-less exploits, which easily get by legacy signature-based AV tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to automate the entire threat lifecycle including blocking, detection, containment, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Help Center: Support Desk Managed Services
    Progent's Support Center services allow your IT team to outsource Help Desk services to Progent or divide responsibilities for support services seamlessly between your internal network support staff and Progent's extensive pool of certified IT service engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a smooth supplement to your corporate support resources. Client access to the Help Desk, delivery of support, problem escalation, trouble ticket generation and updates, performance metrics, and maintenance of the support database are cohesive regardless of whether issues are taken care of by your in-house support resources, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for patch management provide businesses of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving IT network. Besides optimizing the protection and functionality of your IT network, Progent's patch management services permit your in-house IT team to focus on line-of-business projects and tasks that deliver the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA service plans incorporate Cisco's Duo technology to defend against compromised passwords through the use of two-factor authentication. Duo enables one-tap identity confirmation on Apple iOS, Android, and other out-of-band devices. Using Duo 2FA, whenever you sign into a protected online account and enter your password you are requested to verify who you are on a unit that only you possess and that is accessed using a different network channel. A broad selection of devices can be utilized as this added form of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate several validation devices. For details about Duo identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of in-depth management reporting tools designed to work with the leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like spotty support follow-through or machines with missing patches. By exposing ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring applications.
For 24x7 Jersey City CryptoLocker Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.