Ransomware : Your Crippling IT Nightmare
Ransomware  Recovery ProfessionalsRansomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses of all sizes unprepared for an attack. Versions of crypto-ransomware like the CrySIS, CryptoWall, Locky, Syskey and MongoLock cryptoworms have been around for years and continue to inflict destruction. Recent variants of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, plus daily unnamed viruses, not only encrypt online information but also infect many accessible system protection. Data synchronized to the cloud can also be encrypted. In a poorly designed data protection solution, this can render automatic recovery useless and basically knocks the entire system back to zero.

Getting back on-line programs and data after a ransomware intrusion becomes a sprint against the clock as the victim struggles to contain and clear the crypto-ransomware and to resume mission-critical operations. Since ransomware requires time to move laterally, penetrations are usually launched on weekends, when penetrations are likely to take longer to discover. This compounds the difficulty of rapidly assembling and orchestrating a knowledgeable response team.

Progent provides a variety of solutions for securing organizations from crypto-ransomware attacks. Among these are team member education to help identify and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of the latest generation security gateways with machine learning capabilities from SentinelOne to identify and extinguish zero-day cyber threats intelligently. Progent in addition can provide the assistance of veteran ransomware recovery consultants with the talent and perseverance to re-deploy a breached system as soon as possible.

Progent's Ransomware Restoration Services
After a crypto-ransomware event, paying the ransom demands in Bitcoin cryptocurrency does not ensure that criminal gangs will respond with the needed codes to decrypt any of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their information even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET determined to be around $13,000. The fallback is to piece back together the essential elements of your Information Technology environment. Without access to essential system backups, this requires a wide complement of IT skills, top notch team management, and the capability to work non-stop until the task is finished.

For twenty years, Progent has provided certified expert Information Technology services for businesses in Salinas and throughout the U.S. and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts includes engineers who have earned advanced certifications in leading technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cybersecurity consultants have earned internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of expertise affords Progent the skills to rapidly determine important systems and organize the surviving pieces of your Information Technology system following a ransomware event and assemble them into an operational network.

Progent's ransomware group uses state-of-the-art project management systems to coordinate the sophisticated restoration process. Progent knows the urgency of working quickly and in concert with a client's management and Information Technology resources to prioritize tasks and to put the most important services back on-line as fast as humanly possible.

Client Case Study: A Successful Ransomware Attack Restoration
A business contacted Progent after their organization was penetrated by Ryuk ransomware. Ryuk is believed to have been created by North Korean state sponsored cybercriminals, suspected of using techniques leaked from the United States NSA organization. Ryuk goes after specific companies with little or no ability to sustain disruption and is among the most lucrative iterations of ransomware. Well Known organizations include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturer based in the Chicago metro area and has around 500 employees. The Ryuk penetration had disabled all business operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the time of the intrusion and were damaged. The client was evaluating paying the ransom (exceeding $200,000) and hoping for the best, but in the end made the decision to use Progent.


"I cannot speak enough in regards to the help Progent gave us throughout the most critical period of (our) company�s survival. We may have had to pay the cyber criminals if not for the confidence the Progent team gave us. The fact that you were able to get our messaging and important applications back into operation in less than one week was incredible. Each person I spoke to or messaged at Progent was urgently focused on getting us restored and was working 24/7 on our behalf."

Progent worked together with the customer to quickly identify and assign priority to the mission critical systems that needed to be addressed to make it possible to continue company functions:

  • Microsoft Active Directory
  • Microsoft Exchange
  • Financials/MRP
To start, Progent adhered to ransomware incident response best practices by stopping the spread and clearing infected systems. Progent then initiated the process of recovering Windows Active Directory, the heart of enterprise networks built upon Microsoft Windows technology. Microsoft Exchange Server email will not operate without Active Directory, and the customer�s accounting and MRP applications utilized SQL Server, which requires Active Directory for access to the data.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated setup and hard drive recovery on key servers. All Exchange ties and attributes were intact, which greatly helped the restore of Exchange. Progent was able to find non-encrypted OST files (Outlook Offline Data Files) on team PCs in order to recover email messages. A recent offline backup of the businesses financials/MRP systems made them able to restore these essential applications back online. Although major work still had to be done to recover totally from the Ryuk damage, the most important systems were restored quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer orders."

Over the following few weeks important milestones in the restoration process were achieved in close cooperation between Progent consultants and the customer:

  • Self-hosted web sites were restored with no loss of information.
  • The MailStore Server containing more than 4 million archived emails was brought on-line and available for users.
  • CRM/Product Ordering/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% operational.
  • A new Palo Alto 850 firewall was deployed.
  • Nearly all of the user desktops were back into operation.

"A huge amount of what transpired in the early hours is mostly a blur for me, but I will not soon forget the commitment each and every one of the team accomplished to give us our company back. I have utilized Progent for the past ten years, maybe more, and every time Progent has impressed me and delivered. This situation was a life saver."

Conclusion
A probable company-ending disaster was dodged through the efforts of top-tier experts, a wide spectrum of IT skills, and tight teamwork. Although in retrospect the ransomware virus penetration described here would have been disabled with advanced security solutions and NIST Cybersecurity Framework best practices, staff education, and properly executed incident response procedures for information backup and applying software patches, the reality remains that government-sponsored cybercriminals from Russia, China and elsewhere are tireless and represent an ongoing threat. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has a proven track record in ransomware virus blocking, mitigation, and information systems recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), I�m grateful for making it so I could get some sleep after we made it through the initial push. All of you did an fabulous job, and if any of your guys is around the Chicago area, dinner is the least I can do!"

To review or download a PDF version of this ransomware incident report, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Salinas a range of online monitoring and security evaluation services to assist you to reduce your vulnerability to crypto-ransomware. These services include next-generation artificial intelligence capability to uncover zero-day variants of ransomware that can escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based analysis technology to defend physical and virtual endpoints against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and offers a single platform to address the complete threat lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device control, and web filtering via cutting-edge tools packaged within one agent managed from a unified control. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP environment that addresses your company's specific needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that require urgent action. Progent can also help you to install and verify a backup and restore solution like ProSight Data Protection Services so you can recover quickly from a potentially disastrous security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology providers to create ProSight Data Protection Services (DPS), a portfolio of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your backup processes and enable transparent backup and rapid restoration of important files/folders, applications, images, and VMs. ProSight DPS helps you recover from data loss caused by hardware breakdown, natural disasters, fire, cyber attacks like ransomware, user mistakes, malicious insiders, or application glitches. Managed services available in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent expert can help you to identify which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of top data security companies to deliver web-based management and comprehensive protection for all your email traffic. The powerful structure of Email Guard managed service integrates cloud-based filtering with a local gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. The cloud filter serves as a first line of defense and keeps most unwanted email from reaching your security perimeter. This reduces your exposure to external threats and conserves network bandwidth and storage. Email Guard's on-premises security gateway device provides a deeper layer of inspection for incoming email. For outgoing email, the on-premises gateway provides AV and anti-spam protection, DLP, and email encryption. The onsite gateway can also help Exchange Server to track and safeguard internal email that originates and ends within your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, enhance and debug their networking hardware like routers and switches, firewalls, and access points plus servers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch makes sure that network diagrams are always current, captures and displays the configuration of almost all devices connected to your network, tracks performance, and generates notices when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can knock hours off common tasks such as making network diagrams, expanding your network, finding devices that require critical updates, or resolving performance bottlenecks. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progents server and desktop remote monitoring managed service that uses state-of-the-art remote monitoring and management technology to help keep your network operating efficiently by tracking the health of critical assets that power your information system. When ProSight LAN Watch detects an issue, an alarm is transmitted immediately to your designated IT staff and your assigned Progent engineering consultant so any potential problems can be resolved before they can disrupt your network. Find out more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Since the environment is virtualized, it can be moved easily to a different hardware solution without a time-consuming and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, update, find and protect information related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about impending expirations of SSLs ,domains or warranties. By cleaning up and organizing your network documentation, you can save up to half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and sharing all documents related to managing your network infrastructure like standard operating procedures (SOPs) and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether youre planning enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the information you need the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior analysis tools to defend endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus tools. Progent Active Security Monitoring services protect local and cloud resources and provides a unified platform to address the entire threat lifecycle including blocking, detection, containment, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Call Desk: Help Desk Managed Services
    Progent's Support Desk services allow your information technology group to offload Help Desk services to Progent or divide responsibilities for Service Desk support transparently between your in-house network support resources and Progent's nationwide pool of IT service technicians, engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service offers a seamless supplement to your corporate IT support team. User access to the Help Desk, provision of support, problem escalation, ticket creation and updates, efficiency measurement, and maintenance of the service database are cohesive whether issues are resolved by your core IT support organization, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide businesses of any size a flexible and cost-effective alternative for assessing, validating, scheduling, applying, and tracking software and firmware updates to your ever-evolving IT system. In addition to optimizing the protection and reliability of your computer network, Progent's patch management services allow your in-house IT staff to concentrate on more strategic projects and tasks that deliver maximum business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Android, and other out-of-band devices. With 2FA, when you sign into a protected application and enter your password you are asked to verify who you are via a device that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized for this added form of authentication such as a smartphone or wearable, a hardware token, a landline phone, etc. You may register several validation devices. To find out more about ProSight Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication services.
For Salinas 24x7 Crypto Cleanup Consultants, call Progent at 800-462-8800 or go to Contact Progent.