Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyber pandemic that poses an enterprise-level danger for businesses unprepared for an assault. Different versions of ransomware like the Dharma, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for many years and still inflict destruction. Newer versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as frequent as yet unnamed viruses, not only encrypt online files but also infiltrate most available system protection mechanisms. Files replicated to the cloud can also be ransomed. In a poorly designed data protection solution, it can make automatic recovery impossible and effectively sets the datacenter back to square one.

Getting back services and data following a crypto-ransomware intrusion becomes a race against time as the targeted business fights to stop the spread and cleanup the ransomware and to restore enterprise-critical activity. Since ransomware requires time to move laterally, penetrations are frequently launched during nights and weekends, when penetrations in many cases take longer to notice. This multiplies the difficulty of promptly mobilizing and coordinating a knowledgeable response team.

Progent makes available a variety of help services for protecting enterprises from ransomware events. Among these are team member education to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of modern security solutions with AI technology from SentinelOne to identify and disable day-zero cyber attacks automatically. Progent in addition can provide the services of expert ransomware recovery consultants with the track record and commitment to rebuild a breached system as rapidly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the needed keys to decipher any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their information after having paid the ransom, resulting in more losses. The risk is also costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the typical ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to piece back together the mission-critical elements of your IT environment. Absent the availability of complete information backups, this requires a broad range of skill sets, well-coordinated project management, and the capability to work continuously until the task is complete.

For twenty years, Progent has made available professional Information Technology services for companies in Raleigh and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security specialists have earned internationally-renowned certifications including CISM, CISSP, CRISC, and GIAC. (Visit Progent's certifications). Progent also has expertise in accounting and ERP application software. This breadth of experience affords Progent the ability to quickly understand necessary systems and re-organize the remaining components of your computer network environment following a crypto-ransomware attack and configure them into an operational network.

Progent's recovery group uses state-of-the-art project management systems to orchestrate the complicated recovery process. Progent understands the importance of working quickly and in unison with a customer's management and IT team members to assign priority to tasks and to get critical systems back on-line as fast as possible.

Case Study: A Successful Ransomware Penetration Response
A business escalated to Progent after their network was crashed by Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean government sponsored cybercriminals, possibly adopting approaches exposed from the U.S. National Security Agency. Ryuk seeks specific organizations with little tolerance for disruption and is among the most profitable incarnations of crypto-ransomware. High publicized targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago and has around 500 workers. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the attack and were eventually encrypted. The client considered paying the ransom demand (more than $200,000) and hoping for the best, but ultimately brought in Progent.


"I cannot tell you enough in regards to the expertise Progent gave us during the most fearful time of (our) businesses existence. We would have paid the criminal gangs if it wasn't for the confidence the Progent group provided us. The fact that you were able to get our messaging and production applications back on-line faster than seven days was incredible. Each staff member I got help from or e-mailed at Progent was laser focused on getting us back online and was working 24 by 7 on our behalf."

Progent worked hand in hand the client to rapidly understand and assign priority to the most important applications that had to be recovered to make it possible to continue departmental operations:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To start, Progent followed AV/Malware Processes incident mitigation industry best practices by stopping the spread and cleaning up infected systems. Progent then started the steps of rebuilding Microsoft AD, the key technology of enterprise systems built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the customer's accounting and MRP software leveraged Microsoft SQL Server, which needs Windows AD for access to the data.

Within 48 hours, Progent was able to recover Active Directory services to its pre-virus state. Progent then initiated rebuilding and storage recovery on mission critical servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was able to assemble intact OST files (Outlook Offline Folder Files) on staff desktop computers to recover mail information. A not too old offline backup of the businesses accounting systems made it possible to recover these vital applications back online. Although a large amount of work still had to be done to recover completely from the Ryuk virus, essential services were restored quickly:


"For the most part, the production line operation ran fairly normal throughout and we delivered all customer deliverables."

During the following month important milestones in the restoration process were accomplished through close cooperation between Progent consultants and the client:

  • In-house web applications were restored without losing any information.
  • The MailStore Exchange Server exceeding four million historical emails was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable/AR/Inventory Control functions were 100 percent functional.
  • A new Palo Alto 850 firewall was deployed.
  • Most of the user desktops and notebooks were operational.

"A lot of what transpired those first few days is nearly entirely a fog for me, but we will not soon forget the countless hours each and every one of your team accomplished to give us our company back. I've been working together with Progent for at least 10 years, maybe more, and each time Progent has impressed me and delivered as promised. This situation was a life saver."

Conclusion
A probable business-killing disaster was dodged by dedicated professionals, a wide spectrum of knowledge, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware incident detailed here could have been identified and stopped with modern cyber security technology and security best practices, staff education, and properly executed security procedures for data protection and keeping systems up to date with security patches, the fact is that state-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, cleanup, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thank you for allowing me to get some sleep after we got over the first week. All of you did an incredible job, and if any of your guys is around the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, please click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers businesses in Raleigh a range of remote monitoring and security assessment services designed to help you to reduce your vulnerability to ransomware. These services include next-generation AI capability to uncover zero-day strains of crypto-ransomware that can evade traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware assaults such as ransomware and file-less exploits, which routinely escape traditional signature-matching anti-virus products. ProSight Active Security Monitoring safeguards local and cloud-based resources and offers a single platform to automate the entire malware attack lifecycle including filtering, infiltration detection, containment, cleanup, and forensics. Key capabilities include single-click rollback with Windows VSS and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and reacting to security threats from all vectors. ProSight ESP provides firewall protection, intrusion alarms, device management, and web filtering through leading-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can assist you to plan and implement a ProSight ESP environment that addresses your organization's specific needs and that helps you demonstrate compliance with government and industry data security standards. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent can also help you to install and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can recover rapidly from a potentially disastrous cyber attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services (DPS), a portfolio of subscription-based management offerings that provide backup-as-a-service. ProSight DPS products manage and track your data backup operations and allow non-disruptive backup and fast restoration of critical files, apps, images, plus VMs. ProSight DPS lets your business avoid data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can assist you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to deliver centralized control and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, DHAs, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and keeps most threats from making it to your network firewall. This reduces your vulnerability to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite gateway device adds a further level of inspection for incoming email. For outbound email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also assist Exchange Server to monitor and safeguard internal email that originates and ends within your security perimeter. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for smaller organizations to diagram, monitor, optimize and troubleshoot their networking appliances like routers, firewalls, and load balancers as well as servers, client computers and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and manages the configuration of virtually all devices on your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming management processes, ProSight WAN Watch can knock hours off common tasks like making network diagrams, reconfiguring your network, finding devices that need important updates, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that incorporates state-of-the-art remote monitoring and management technology to keep your IT system running at peak levels by tracking the state of vital computers that power your business network. When ProSight LAN Watch uncovers a problem, an alert is transmitted immediately to your specified IT staff and your assigned Progent consultant so any potential problems can be addressed before they have a chance to disrupt your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting model, the customer retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported easily to a different hosting environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, update, retrieve and protect information related to your IT infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to 50% of time spent looking for critical information about your network. ProSight IT Asset Management includes a centralized repository for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and relating IT data. Whether you're planning improvements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you require when you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based analysis tools to guard endpoint devices as well as servers and VMs against modern malware attacks such as ransomware and file-less exploits, which routinely evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud resources and offers a unified platform to automate the entire malware attack lifecycle including protection, detection, mitigation, remediation, and forensics. Top features include one-click rollback using Windows VSS and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Support Center managed services allow your information technology team to offload Help Desk services to Progent or split responsibilities for Service Desk support transparently between your internal support staff and Progent's nationwide roster of IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a transparent supplement to your corporate IT support staff. End user interaction with the Help Desk, provision of support services, issue escalation, ticket generation and updates, performance measurement, and maintenance of the support database are cohesive whether issues are taken care of by your corporate network support staff, by Progent's team, or by a combination. Learn more about Progent's outsourced/shared Call Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of all sizes a flexible and affordable alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. In addition to maximizing the security and reliability of your computer network, Progent's patch management services permit your in-house IT team to focus on line-of-business initiatives and tasks that derive the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on (SSO)
    Progent's Duo authentication managed services utilize Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication (2FA). Duo enables single-tap identity verification on iOS, Google Android, and other out-of-band devices. With 2FA, whenever you log into a protected online account and give your password you are requested to confirm your identity on a unit that only you have and that uses a different network channel. A wide selection of devices can be utilized as this added means of ID validation such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may register multiple verification devices. To learn more about ProSight Duo two-factor identity authentication services, refer to Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding line of real-time management reporting utilities created to integrate with the leading ticketing and remote network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, reduces management hassle, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For Raleigh 24/7/365 Ransomware Repair Services, reach out to Progent at 800-462-8800 or go to Contact Progent.