Ransomware : Your Crippling IT Disaster
Crypto-Ransomware  Remediation ConsultantsRansomware has become a modern cyberplague that represents an extinction-level threat for organizations unprepared for an assault. Different versions of ransomware like the Reveton, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been circulating for many years and still inflict destruction. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, plus frequent unnamed malware, not only do encryption of on-line critical data but also infect most accessible system backup. Data synchronized to off-site disaster recovery sites can also be ransomed. In a poorly designed data protection solution, it can make automatic restoration useless and basically sets the datacenter back to square one.

Getting back applications and information following a ransomware outage becomes a sprint against the clock as the targeted business tries its best to contain and cleanup the virus and to resume enterprise-critical activity. Because ransomware needs time to spread, penetrations are frequently sprung on weekends and holidays, when successful attacks typically take more time to discover. This multiplies the difficulty of rapidly assembling and organizing a knowledgeable mitigation team.

Progent has an assortment of help services for protecting enterprises from ransomware events. These include user training to help identify and not fall victim to phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security solutions with machine learning technology from SentinelOne to identify and quarantine new cyber threats rapidly. Progent also offers the assistance of experienced ransomware recovery consultants with the track record and perseverance to re-deploy a compromised network as soon as possible.

Progent's Ransomware Restoration Help
Following a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to decrypt any or all of your files. Kaspersky ascertained that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The other path is to setup from scratch the mission-critical elements of your IT environment. Absent the availability of full data backups, this requires a broad range of skills, top notch team management, and the capability to work 24x7 until the task is done.

For two decades, Progent has made available certified expert IT services for companies in Salinas and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have been awarded high-level industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity engineers have garnered internationally-renowned industry certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of experience affords Progent the ability to quickly determine critical systems and organize the surviving pieces of your network environment after a ransomware attack and rebuild them into an operational network.

Progent's ransomware team uses powerful project management tools to orchestrate the complicated recovery process. Progent understands the importance of acting rapidly and together with a client's management and Information Technology team members to prioritize tasks and to get critical services back online as fast as humanly possible.

Customer Case Study: A Successful Ransomware Attack Restoration
A business escalated to Progent after their company was attacked by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state sponsored criminal gangs, possibly adopting algorithms leaked from the U.S. NSA organization. Ryuk targets specific organizations with limited room for operational disruption and is one of the most lucrative examples of ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area and has about 500 workers. The Ryuk intrusion had paralyzed all company operations and manufacturing capabilities. Most of the client's data protection had been directly accessible at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom (more than two hundred thousand dollars) and praying for good luck, but in the end engaged Progent.


"I can't speak enough in regards to the expertise Progent provided us throughout the most stressful period of (our) company's survival. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent group gave us. The fact that you were able to get our messaging and important servers back on-line quicker than seven days was amazing. Every single expert I spoke to or communicated with at Progent was hell bent on getting our system up and was working 24 by 7 on our behalf."

Progent worked together with the client to rapidly understand and assign priority to the mission critical elements that needed to be recovered in order to resume business operations:

  • Active Directory
  • Electronic Messaging
  • Financials/MRP
To get going, Progent followed Anti-virus incident response industry best practices by stopping lateral movement and removing active viruses. Progent then began the task of restoring Microsoft AD, the heart of enterprise networks built upon Microsoft technology. Microsoft Exchange Server messaging will not function without Active Directory, and the businesses' financials and MRP applications used SQL Server, which requires Active Directory for access to the information.

Within 48 hours, Progent was able to recover Active Directory services to its pre-attack state. Progent then charged ahead with reinstallations and hard drive recovery of needed applications. All Microsoft Exchange Server ties and attributes were intact, which facilitated the restore of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Folder Files) on team desktop computers in order to recover mail messages. A recent off-line backup of the customer's accounting software made them able to restore these essential applications back on-line. Although major work needed to be completed to recover completely from the Ryuk attack, the most important services were returned to operations rapidly:


"For the most part, the production manufacturing operation was never shut down and we produced all customer deliverables."

During the following month critical milestones in the recovery project were made in close cooperation between Progent engineers and the customer:

  • In-house web applications were restored with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million historical messages was spun up and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 security appliance was installed.
  • Ninety percent of the desktops and laptops were back into operation.

"A huge amount of what was accomplished that first week is nearly entirely a fog for me, but my team will not forget the countless hours each of the team put in to help get our business back. I have utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has shined and delivered. This event was the most impressive ever."

Conclusion
A possible enterprise-killing catastrophe was dodged by top-tier experts, a wide spectrum of subject matter expertise, and tight collaboration. Although in hindsight the crypto-ransomware virus incident described here could have been identified and disabled with current cyber security systems and security best practices, user education, and well thought out incident response procedures for data backup and proper patching controls, the reality remains that state-sponsored hackers from Russia, China and elsewhere are tireless and are an ongoing threat. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's team of experts has extensive experience in ransomware virus blocking, cleanup, and data restoration.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), thank you for letting me get some sleep after we made it through the first week. Everyone did an amazing job, and if any of your team is around the Chicago area, dinner is on me!"

To review or download a PDF version of this customer story, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Salinas a range of online monitoring and security evaluation services to assist you to minimize the threat from crypto-ransomware. These services incorporate next-generation artificial intelligence capability to uncover new strains of crypto-ransomware that are able to get past traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior analysis tools to defend physical and virtual endpoint devices against modern malware attacks like ransomware and email phishing, which easily get by legacy signature-matching anti-virus tools. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the complete malware attack progression including blocking, infiltration detection, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth security for physical and virtual servers, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for continuously monitoring and responding to security threats from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint control, and web filtering via leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization experts can assist you to design and configure a ProSight ESP environment that addresses your organization's specific requirements and that helps you prove compliance with legal and industry data security standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require urgent action. Progent can also help your company to set up and verify a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a potentially disastrous security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup/restore technology providers to create ProSight Data Protection Services, a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services manage and track your data backup operations and allow transparent backup and fast restoration of critical files/folders, apps, system images, and VMs. ProSight DPS lets you protect against data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious employees, or software glitches. Managed services in the ProSight DPS portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built hardware, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of leading data security companies to provide centralized management and world-class security for your email traffic. The powerful architecture of Email Guard combines cloud-based filtering with a local security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, DHAs, and other email-borne malware. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage. Email Guard's on-premises security gateway device adds a further level of analysis for incoming email. For outgoing email, the onsite security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The local security gateway can also help Microsoft Exchange Server to monitor and protect internal email that stays within your security perimeter. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized organizations to map, track, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology maps are always current, captures and manages the configuration of virtually all devices connected to your network, tracks performance, and generates alerts when potential issues are discovered. By automating tedious network management processes, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, locating devices that require important updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management techniques to keep your IT system running efficiently by checking the health of vital assets that power your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management personnel and your Progent consultant so that any potential issues can be resolved before they can impact your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and managed by Progent's network support experts. With the ProSight Virtual Hosting service model, the client owns the data, the operating system software, and the apps. Because the environment is virtualized, it can be ported easily to an alternate hosting solution without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, maintain, find and safeguard information about your network infrastructure, procedures, business apps, and services. You can quickly find passwords or IP addresses and be alerted about impending expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can eliminate up to 50% of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for storing and sharing all documents related to managing your network infrastructure such as standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT information. Whether you're planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis technology to defend endpoint devices as well as servers and VMs against modern malware assaults like ransomware and email phishing, which easily escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services protect on-premises and cloud-based resources and offers a single platform to automate the entire threat progression including blocking, detection, containment, remediation, and forensics. Key features include one-click rollback using Windows VSS and automatic network-wide immunization against new threats. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Support Desk Managed Services
    Progent's Support Desk services permit your information technology team to outsource Help Desk services to Progent or split activity for Service Desk support seamlessly between your internal support resources and Progent's nationwide roster of certified IT support engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your corporate network support staff. User interaction with the Help Desk, provision of support, issue escalation, trouble ticket creation and tracking, efficiency measurement, and management of the service database are cohesive whether issues are taken care of by your in-house IT support organization, by Progent's team, or a mix of the two. Read more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving IT network. In addition to optimizing the security and reliability of your computer environment, Progent's patch management services allow your IT staff to concentrate on line-of-business initiatives and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo technology to defend against compromised passwords by using two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. Using Duo 2FA, when you log into a protected online account and enter your password you are requested to confirm who you are on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A broad selection of devices can be utilized as this second form of authentication such as a smartphone or wearable, a hardware token, a landline telephone, etc. You can register multiple validation devices. To find out more about ProSight Duo identity authentication services, refer to Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing line of in-depth management reporting tools created to integrate with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7 Salinas Crypto Removal Services, contact Progent at 800-462-8800 or go to Contact Progent.