Ransomware : Your Crippling Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an existential danger for organizations vulnerable to an attack. Different versions of ransomware such as Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been out in the wild for years and continue to inflict destruction. Modern versions of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional unnamed newcomers, not only encrypt on-line information but also infect many available system restores and backups. Information synchronized to the cloud can also be encrypted. In a poorly designed data protection solution, it can render automated restoration useless and basically knocks the datacenter back to square one.

Retrieving programs and information following a ransomware outage becomes a sprint against the clock as the targeted organization tries its best to contain and remove the ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware takes time to spread, attacks are often launched at night, when successful penetrations in many cases take longer to detect. This compounds the difficulty of quickly mobilizing and organizing a qualified response team.

Progent provides an assortment of solutions for protecting businesses from ransomware penetrations. These include user education to help recognize and avoid phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus installation of modern security gateways with machine learning capabilities from SentinelOne to identify and extinguish zero-day cyber threats quickly. Progent also can provide the assistance of seasoned ransomware recovery professionals with the track record and perseverance to rebuild a breached network as rapidly as possible.

Progent's Ransomware Recovery Support Services
Subsequent to a crypto-ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will provide the needed keys to decrypt all your data. Kaspersky estimated that seventeen percent of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The risk is also very costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well above the typical ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to re-install the critical components of your Information Technology environment. Without access to complete data backups, this requires a wide complement of skill sets, professional team management, and the capability to work non-stop until the task is over.

For twenty years, Progent has provided professional IT services for companies in Salinas and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes professionals who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity engineers have earned internationally-renowned certifications including CISA, CISSP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise with financial management and ERP software solutions. This breadth of expertise affords Progent the ability to knowledgably identify necessary systems and organize the surviving pieces of your IT environment following a crypto-ransomware attack and assemble them into a functioning network.

Progent's security team uses state-of-the-art project management systems to coordinate the complicated recovery process. Progent knows the urgency of acting quickly and in unison with a client's management and IT resources to assign priority to tasks and to get essential systems back on-line as fast as possible.

Case Study: A Successful Crypto-Ransomware Virus Restoration
A business hired Progent after their network system was taken over by Ryuk ransomware. Ryuk is believed to have been launched by North Korean state sponsored hackers, suspected of using strategies leaked from the United States National Security Agency. Ryuk seeks specific companies with little ability to sustain disruption and is one of the most lucrative examples of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturing business headquartered in Chicago with around 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the beginning of the attack and were destroyed. The client was taking steps for paying the ransom (more than two hundred thousand dollars) and wishfully thinking for the best, but in the end utilized Progent.


"I cannot tell you enough in regards to the expertise Progent gave us during the most fearful time of (our) company's existence. We most likely would have paid the cyber criminals except for the confidence the Progent experts gave us. The fact that you could get our messaging and critical servers back on-line quicker than five days was beyond my wildest dreams. Each person I spoke to or e-mailed at Progent was laser focused on getting our company operational and was working at all hours on our behalf."

Progent worked hand in hand the customer to quickly get our arms around and assign priority to the essential services that needed to be addressed in order to restart departmental functions:

  • Active Directory
  • Email
  • Accounting and Manufacturing Software
To start, Progent adhered to Anti-virus event mitigation best practices by halting the spread and clearing infected systems. Progent then began the process of rebuilding Microsoft Active Directory, the key technology of enterprise environments built upon Microsoft Windows Server technology. Microsoft Exchange Server email will not work without AD, and the customer's MRP software leveraged Microsoft SQL, which requires Windows AD for security authorization to the databases.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then helped perform rebuilding and storage recovery of the most important systems. All Exchange Server data and attributes were intact, which accelerated the rebuild of Exchange. Progent was also able to collect non-encrypted OST data files (Outlook Off-Line Folder Files) on team desktop computers to recover email information. A recent off-line backup of the businesses financials/ERP systems made them able to return these required programs back on-line. Although major work was left to recover totally from the Ryuk damage, essential systems were recovered rapidly:


"For the most part, the production manufacturing operation showed little impact and we produced all customer shipments."

Throughout the following few weeks key milestones in the recovery project were accomplished in tight cooperation between Progent engineers and the client:

  • In-house web sites were restored without losing any information.
  • The MailStore Server with over four million historical messages was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100 percent recovered.
  • A new Palo Alto Networks 850 security appliance was set up and programmed.
  • Ninety percent of the user workstations were operational.

"Much of what happened that first week is nearly entirely a haze for me, but my team will not soon forget the commitment each of you put in to help get our business back. I have trusted Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This time was a Herculean accomplishment."

Conclusion
A likely company-ending disaster was averted with top-tier professionals, a wide array of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware attack described here would have been prevented with modern security technology and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for information protection and applying software patches, the reality is that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware incident, feel confident that Progent's roster of experts has extensive experience in ransomware virus defense, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thanks very much for allowing me to get rested after we got past the first week. Everyone did an fabulous effort, and if anyone that helped is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Salinas a portfolio of online monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services incorporate modern AI capability to detect zero-day strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and file-less exploits, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to address the entire threat lifecycle including blocking, detection, mitigation, remediation, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver economical in-depth protection for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint management, and web filtering via leading-edge technologies incorporated within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help you to design and implement a ProSight ESP deployment that meets your organization's unique requirements and that allows you prove compliance with legal and industry information security standards. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for immediate attention. Progent can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services so you can recover rapidly from a destructive security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup software companies to produce ProSight Data Protection Services, a family of management offerings that provide backup-as-a-service. ProSight DPS services manage and track your data backup processes and allow transparent backup and rapid restoration of important files, applications, images, plus VMs. ProSight DPS lets your business protect against data loss caused by hardware failures, natural disasters, fire, malware like ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed services in the ProSight Data Protection Services product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that incorporates the infrastructure of top information security vendors to provide web-based control and world-class security for all your inbound and outbound email. The powerful architecture of Email Guard integrates a Cloud Protection Layer with a local gateway device to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The cloud filter serves as a first line of defense and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a deeper level of inspection for incoming email. For outbound email, the on-premises gateway offers AV and anti-spam filtering, DLP, and email encryption. The local security gateway can also assist Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more details, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to map out, track, reconfigure and troubleshoot their networking appliances such as routers and switches, firewalls, and access points plus servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are kept updated, captures and displays the configuration information of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off common chores such as making network diagrams, expanding your network, locating appliances that require important updates, or isolating performance bottlenecks. Learn more details about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management techniques to help keep your network running at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted immediately to your specified IT management staff and your assigned Progent consultant so that all looming issues can be addressed before they have a chance to disrupt productivity. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size organization can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and maintained by Progent's IT support experts. With the ProSight Virtual Hosting model, the client retains ownership of the data, the OS software, and the apps. Since the system is virtualized, it can be ported immediately to an alternate hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and protect data related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs or domains. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time spent searching for critical information about your IT network. ProSight IT Asset Management features a common location for storing and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and associating IT information. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the knowledge you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection service that utilizes next generation behavior analysis tools to guard endpoints as well as physical and virtual servers against new malware attacks such as ransomware and email phishing, which routinely evade legacy signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud-based resources and offers a unified platform to automate the entire malware attack progression including blocking, identification, mitigation, remediation, and forensics. Top features include single-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Find out more about Progent's ransomware defense and recovery services.

  • Progent's Outsourced/Shared Service Desk: Help Desk Managed Services
    Progent's Call Desk managed services enable your IT staff to offload Call Center services to Progent or divide activity for Service Desk support transparently between your in-house support team and Progent's nationwide pool of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth extension of your core network support team. User interaction with the Service Desk, delivery of support services, escalation, ticket generation and updates, efficiency metrics, and management of the service database are cohesive regardless of whether issues are taken care of by your core IT support organization, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a flexible and cost-effective alternative for evaluating, testing, scheduling, applying, and tracking software and firmware updates to your dynamic IT network. In addition to optimizing the protection and reliability of your IT network, Progent's software/firmware update management services allow your in-house IT team to concentrate on more strategic projects and activities that derive the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. With 2FA, whenever you sign into a protected application and give your password you are requested to confirm who you are via a unit that only you possess and that is accessed using a different network channel. A broad selection of out-of-band devices can be utilized as this added form of ID validation such as a smartphone or wearable, a hardware/software token, a landline phone, etc. You can designate multiple validation devices. For more information about ProSight Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication services for access security.
For 24/7/365 Salinas Crypto-Ransomware Repair Help, reach out to Progent at 800-462-8800 or go to Contact Progent.