Ransomware : Your Feared Information Technology Disaster
Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that presents an existential danger for businesses of all sizes unprepared for an attack. Different versions of ransomware such as Dharma, WannaCry, Locky, NotPetya and MongoLock cryptoworms have been out in the wild for many years and still inflict harm. More recent variants of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, as well as more unnamed malware, not only do encryption of online data but also infect any available system backup. Data replicated to the cloud can also be ransomed. In a poorly designed environment, it can render any restoration useless and effectively knocks the entire system back to zero.

Restoring programs and information after a crypto-ransomware event becomes a race against time as the targeted business fights to contain and clear the crypto-ransomware and to resume business-critical operations. Since crypto-ransomware requires time to move laterally, assaults are usually launched at night, when attacks may take more time to notice. This multiplies the difficulty of promptly marshalling and coordinating a knowledgeable mitigation team.

Progent offers a variety of solutions for securing organizations from crypto-ransomware attacks. Among these are team education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of the latest generation security gateways with machine learning capabilities from SentinelOne to identify and disable zero-day cyber threats rapidly. Progent also provides the assistance of expert ransomware recovery professionals with the talent and commitment to re-deploy a compromised environment as rapidly as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware penetration, paying the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will return the codes to decipher any or all of your information. Kaspersky Labs ascertained that 17% of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the essential parts of your Information Technology environment. Absent access to complete system backups, this calls for a broad complement of skill sets, top notch project management, and the willingness to work 24x7 until the task is over.

For decades, Progent has provided certified expert Information Technology services for companies in Salinas and throughout the U.S. and has achieved Microsoft's Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have been awarded top industry certifications in important technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security consultants have garnered internationally-recognized certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has expertise with financial systems and ERP application software. This breadth of expertise provides Progent the skills to rapidly ascertain critical systems and integrate the surviving components of your IT environment following a crypto-ransomware attack and configure them into an operational system.

Progent's recovery group utilizes powerful project management tools to coordinate the complicated restoration process. Progent appreciates the urgency of working swiftly and together with a customer's management and Information Technology team members to assign priority to tasks and to get critical services back online as fast as humanly possible.

Business Case Study: A Successful Ransomware Penetration Recovery
A client sought out Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been developed by North Korean government sponsored criminal gangs, possibly using approaches leaked from America's National Security Agency. Ryuk attacks specific organizations with little room for operational disruption and is among the most lucrative iterations of ransomware viruses. High publicized targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in Chicago and has about 500 staff members. The Ryuk intrusion had frozen all essential operations and manufacturing capabilities. Most of the client's system backups had been online at the beginning of the attack and were damaged. The client was taking steps for paying the ransom (in excess of $200,000) and wishfully thinking for good luck, but ultimately made the decision to use Progent.


"I can't thank you enough in regards to the expertise Progent provided us during the most stressful time of (our) businesses survival. We would have paid the cyber criminals except for the confidence the Progent experts gave us. That you were able to get our e-mail and critical applications back on-line sooner than one week was beyond my wildest dreams. Every single person I spoke to or texted at Progent was absolutely committed on getting us back on-line and was working 24 by 7 to bail us out."

Progent worked hand in hand the client to rapidly assess and prioritize the critical systems that needed to be restored to make it possible to restart company functions:

  • Active Directory
  • E-Mail
  • Financials/MRP
To begin, Progent followed AV/Malware Processes incident mitigation industry best practices by isolating and cleaning systems of viruses. Progent then began the steps of rebuilding Microsoft AD, the key technology of enterprise environments built upon Microsoft technology. Microsoft Exchange Server messaging will not work without Active Directory, and the customer's MRP software leveraged Microsoft SQL, which requires Active Directory for access to the information.

Within 2 days, Progent was able to rebuild Active Directory services to its pre-virus state. Progent then performed rebuilding and storage recovery on key servers. All Microsoft Exchange Server schema and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to assemble intact OST files (Microsoft Outlook Offline Folder Files) on staff PCs and laptops to recover mail information. A recent offline backup of the businesses accounting systems made them able to restore these required applications back available to users. Although major work still had to be done to recover totally from the Ryuk event, essential services were restored rapidly:


"For the most part, the production operation showed little impact and we produced all customer sales."

Over the following few weeks important milestones in the restoration project were accomplished through tight cooperation between Progent team members and the customer:

  • In-house web sites were restored with no loss of data.
  • The MailStore Server containing more than 4 million historical messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were fully recovered.
  • A new Palo Alto Networks 850 security appliance was deployed.
  • Nearly all of the user workstations were back into operation.

"A huge amount of what transpired in the initial days is nearly entirely a blur for me, but my team will not soon forget the countless hours each and every one of your team put in to give us our company back. I have entrusted Progent for the past ten years, maybe more, and each time Progent has shined and delivered as promised. This situation was a testament to your capabilities."

Conclusion
A probable business-ending disaster was avoided due to dedicated professionals, a broad array of IT skills, and tight teamwork. Although in retrospect the ransomware incident detailed here should have been identified and prevented with current security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for information protection and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (and any others that were helping), thank you for allowing me to get rested after we made it past the most critical parts. All of you did an amazing job, and if any of your guys is in the Chicago area, dinner is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Salinas a portfolio of remote monitoring and security evaluation services designed to assist you to minimize your vulnerability to ransomware. These services incorporate modern machine learning technology to uncover zero-day variants of ransomware that are able to get past legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection solution that utilizes SentinelOne's next generation behavior-based machine learning tools to defend physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily get by traditional signature-based AV tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to manage the complete malware attack lifecycle including filtering, identification, containment, cleanup, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and real-time system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer economical in-depth security for physical and virtual servers, desktops, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all attack vectors. ProSight ESP provides two-way firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge technologies incorporated within one agent managed from a unified console. Progent's data protection and virtualization experts can help you to plan and configure a ProSight ESP deployment that addresses your company's unique needs and that allows you achieve and demonstrate compliance with legal and industry information security standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require urgent attention. Progent's consultants can also help you to install and test a backup and restore system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with leading backup technology companies to create ProSight Data Protection Services, a selection of management offerings that provide backup-as-a-service. ProSight DPS services manage and monitor your backup processes and enable non-disruptive backup and rapid recovery of critical files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by equipment failures, natural disasters, fire, cyber attacks like ransomware, human mistakes, malicious employees, or application bugs. Managed services in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security companies to deliver centralized control and world-class security for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines a Cloud Protection Layer with a local gateway appliance to provide advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your security perimeter. This reduces your vulnerability to inbound attacks and conserves system bandwidth and storage space. Email Guard's on-premises security gateway device adds a deeper level of inspection for incoming email. For outbound email, the local security gateway provides AV and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and inexpensive for smaller businesses to map, monitor, optimize and debug their networking hardware like routers, firewalls, and wireless controllers plus servers, printers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when issues are discovered. By automating time-consuming management processes, WAN Watch can knock hours off common tasks like network mapping, expanding your network, finding appliances that require important updates, or resolving performance issues. Find out more about ProSight WAN Watch infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system running efficiently by checking the health of vital assets that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT personnel and your assigned Progent engineering consultant so that all looming issues can be resolved before they can disrupt productivity. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client owns the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hardware solution without requiring a lengthy and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, retrieve and safeguard data about your network infrastructure, processes, business apps, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent searching for critical information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and associating IT data. Whether you're planning improvements, performing maintenance, or responding to a crisis, ProSight IT Asset Management delivers the data you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior analysis technology to guard endpoints as well as servers and VMs against new malware attacks like ransomware and file-less exploits, which routinely escape legacy signature-based anti-virus tools. Progent Active Security Monitoring services safeguard on-premises and cloud resources and provides a single platform to manage the complete malware attack progression including blocking, identification, containment, cleanup, and post-attack forensics. Key features include single-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Learn more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Desk: Help Desk Managed Services
    Progent's Support Center services allow your information technology group to offload Call Center services to Progent or divide activity for Help Desk services seamlessly between your internal network support group and Progent's nationwide pool of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a seamless extension of your internal support resources. User access to the Help Desk, provision of support services, issue escalation, ticket generation and updates, performance metrics, and maintenance of the service database are consistent whether issues are resolved by your core IT support staff, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of any size a flexible and affordable alternative for evaluating, testing, scheduling, applying, and documenting software and firmware updates to your dynamic information network. Besides maximizing the protection and functionality of your IT environment, Progent's patch management services allow your IT staff to focus on line-of-business projects and activities that derive maximum business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Remediation, and Protected Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification on Apple iOS, Google Android, and other personal devices. With 2FA, whenever you log into a secured application and enter your password you are asked to confirm your identity via a unit that only you have and that uses a different network channel. A broad selection of devices can be used as this second means of ID validation including a smartphone or watch, a hardware/software token, a landline phone, etc. You can designate several verification devices. For more information about ProSight Duo two-factor identity validation services, go to Cisco Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time and in-depth reporting plug-ins designed to integrate with the top ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues such as spotty support follow-up or endpoints with out-of-date AVs. By identifying ticketing or network health concerns concisely and in near-real time, ProSight Reporting enhances productivity, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Salinas 24-7 Ransomware Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.