Ransomware : Your Worst Information Technology Catastrophe
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyberplague that represents an enterprise-level threat for organizations unprepared for an attack. Multiple generations of crypto-ransomware like the CryptoLocker, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for many years and still inflict damage. The latest versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with more unnamed viruses, not only encrypt on-line critical data but also infect all accessible system restores and backups. Data synched to the cloud can also be rendered useless. In a poorly designed environment, this can make automated recovery useless and effectively sets the entire system back to square one.

Getting back online applications and information after a ransomware event becomes a sprint against the clock as the victim tries its best to stop the spread and eradicate the ransomware and to resume business-critical operations. Since ransomware takes time to replicate, assaults are usually sprung during weekends and nights, when successful attacks in many cases take longer to notice. This multiplies the difficulty of quickly marshalling and orchestrating a capable mitigation team.

Progent provides a range of services for protecting enterprises from ransomware penetrations. These include team member training to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with AI technology from SentinelOne to identify and quarantine new threats rapidly. Progent also can provide the assistance of veteran ransomware recovery professionals with the talent and commitment to re-deploy a breached environment as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a crypto-ransomware attack, sending the ransom in Bitcoin cryptocurrency does not ensure that merciless criminals will respond with the needed keys to decrypt any of your data. Kaspersky determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the typical ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the mission-critical elements of your Information Technology environment. Without the availability of essential information backups, this calls for a wide complement of skills, well-coordinated team management, and the capability to work non-stop until the recovery project is finished.

For two decades, Progent has provided expert Information Technology services for companies in Jersey City and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes consultants who have been awarded top industry certifications in leading technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have earned internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (See Progent's certifications). Progent also has expertise in financial systems and ERP software solutions. This breadth of experience gives Progent the ability to quickly understand necessary systems and organize the surviving pieces of your Information Technology system after a crypto-ransomware penetration and configure them into a functioning system.

Progent's ransomware group utilizes best of breed project management applications to coordinate the complicated recovery process. Progent appreciates the importance of working rapidly and in unison with a customer's management and IT staff to prioritize tasks and to put critical systems back online as fast as possible.

Client Story: A Successful Crypto-Ransomware Virus Response
A business hired Progent after their network system was attacked by Ryuk ransomware. Ryuk is thought to have been launched by Northern Korean government sponsored cybercriminals, suspected of adopting strategies exposed from the U.S. National Security Agency. Ryuk seeks specific companies with little or no room for operational disruption and is among the most lucrative incarnations of ransomware malware. Major victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business headquartered in the Chicago metro area and has about 500 workers. The Ryuk penetration had disabled all essential operations and manufacturing capabilities. The majority of the client's data backups had been online at the beginning of the intrusion and were encrypted. The client considered paying the ransom demand (in excess of two hundred thousand dollars) and wishfully thinking for the best, but ultimately reached out to Progent.


"I cannot say enough in regards to the help Progent provided us throughout the most fearful time of (our) businesses survival. We most likely would have paid the Hackers except for the confidence the Progent experts gave us. The fact that you could get our e-mail system and critical applications back online faster than one week was something I thought impossible. Each expert I interacted with or communicated with at Progent was amazingly focused on getting us operational and was working 24 by 7 to bail us out."

Progent worked with the client to rapidly understand and assign priority to the critical elements that had to be restored in order to continue business operations:

  • Windows Active Directory
  • Electronic Mail
  • MRP System
To get going, Progent adhered to ransomware incident mitigation best practices by stopping the spread and clearing up compromised systems. Progent then began the process of bringing back online Microsoft AD, the heart of enterprise networks built upon Microsoft Windows Server technology. Exchange messaging will not operate without Windows AD, and the client's MRP system leveraged Microsoft SQL Server, which requires Active Directory services for authentication to the databases.

Within two days, Progent was able to recover Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of mission critical systems. All Exchange Server ties and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to locate intact OST data files (Outlook Offline Folder Files) on team workstations in order to recover email information. A not too old off-line backup of the customer's accounting/MRP systems made it possible to return these essential programs back available to users. Although major work needed to be completed to recover totally from the Ryuk attack, critical services were recovered quickly:


"For the most part, the assembly line operation never missed a beat and we produced all customer orders."

Throughout the next few weeks key milestones in the restoration process were accomplished through close cooperation between Progent team members and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived emails was restored to operations and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were fully restored.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user workstations were being used by staff.

"Much of what transpired in the initial days is nearly entirely a blur for me, but my management will not soon forget the countless hours all of your team put in to give us our business back. I have trusted Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered. This event was a stunning achievement."

Conclusion
A probable business extinction disaster was avoided by dedicated professionals, a broad spectrum of technical expertise, and close collaboration. Although in analyzing the event afterwards the ransomware virus attack described here should have been identified and stopped with modern security solutions and ISO/IEC 27001 best practices, user training, and appropriate incident response procedures for information backup and proper patching controls, the reality remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and represent an ongoing threat. If you do fall victim to a ransomware virus, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were helping), thank you for letting me get rested after we made it past the initial push. All of you did an impressive job, and if anyone that helped is visiting the Chicago area, a great meal is my treat!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Jersey City a variety of online monitoring and security evaluation services to assist you to minimize your vulnerability to ransomware. These services include next-generation machine learning capability to uncover zero-day variants of ransomware that are able to escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the complete threat lifecycle including protection, identification, containment, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services offer affordable multi-layer security for physical servers and VMs, workstations, smartphones, and Microsoft Exchange. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and responding to security threats from all vectors. ProSight ESP offers firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a single console. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP deployment that addresses your organization's unique needs and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will help you define and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also help your company to install and verify a backup and restore system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service. ProSight DPS products automate and monitor your data backup processes and allow transparent backup and fast restoration of vital files, applications, system images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss caused by equipment failures, natural disasters, fire, malware like ransomware, human error, malicious insiders, or application glitches. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to determine which of these managed services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading information security companies to deliver web-based control and world-class protection for all your inbound and outbound email. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with an on-premises gateway device to offer advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer acts as a first line of defense and keeps most unwanted email from making it to your network firewall. This decreases your exposure to inbound threats and saves system bandwidth and storage. Email Guard's on-premises gateway device adds a further level of inspection for inbound email. For outgoing email, the onsite gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The local security gateway can also assist Microsoft Exchange Server to monitor and safeguard internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and affordable for smaller businesses to map out, monitor, optimize and troubleshoot their networking hardware like routers, firewalls, and wireless controllers plus servers, client computers and other networked devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that network diagrams are kept current, copies and displays the configuration information of almost all devices on your network, tracks performance, and generates alerts when potential issues are discovered. By automating tedious management and troubleshooting processes, ProSight WAN Watch can knock hours off ordinary chores like network mapping, reconfiguring your network, locating devices that need critical updates, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management technology to help keep your IT system operating efficiently by tracking the health of vital assets that power your business network. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT management personnel and your assigned Progent engineering consultant so that any looming issues can be resolved before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported easily to an alternate hardware environment without a lengthy and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate as much as 50% of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common repository for holding and sharing all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're making enhancements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the knowledge you need when you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis technology to guard endpoints as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-based AV products. Progent ASM services protect local and cloud-based resources and provides a single platform to automate the entire threat lifecycle including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Help Center services allow your information technology team to offload Call Center services to Progent or divide activity for Service Desk support seamlessly between your in-house network support staff and Progent's nationwide pool of IT support technicians, engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a seamless supplement to your corporate network support staff. User access to the Help Desk, delivery of support, problem escalation, trouble ticket generation and updates, efficiency metrics, and management of the service database are cohesive regardless of whether issues are resolved by your internal support resources, by Progent, or both. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer organizations of any size a flexible and cost-effective alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. Besides optimizing the protection and functionality of your computer environment, Progent's patch management services permit your in-house IT staff to focus on more strategic projects and tasks that derive the highest business value from your information network. Find out more about Progent's software/firmware update management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA service plans utilize Cisco's Duo technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity confirmation with Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you log into a secured online account and enter your password you are requested to confirm who you are on a unit that only you possess and that uses a different ("out-of-band") network channel. A wide range of devices can be used as this added means of authentication such as an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may register multiple validation devices. To learn more about ProSight Duo identity authentication services, refer to Cisco Duo MFA two-factor authentication services.
For Jersey City 24/7/365 Crypto-Ransomware Remediation Consultants, call Progent at 800-462-8800 or go to Contact Progent.