Ransomware : Your Feared IT Catastrophe
Crypto-Ransomware  Recovery ExpertsRansomware has become a too-frequent cyber pandemic that poses an existential danger for organizations poorly prepared for an attack. Multiple generations of ransomware like the Dharma, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict harm. More recent strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Egregor, along with daily unnamed viruses, not only encrypt on-line information but also infiltrate all accessible system restores and backups. Files synched to the cloud can also be corrupted. In a vulnerable system, this can make any restoration useless and effectively sets the network back to zero.

Restoring programs and data after a ransomware event becomes a sprint against time as the targeted business fights to contain and cleanup the ransomware and to resume business-critical activity. Since crypto-ransomware needs time to replicate, penetrations are often sprung during nights and weekends, when successful penetrations tend to take more time to identify. This compounds the difficulty of quickly assembling and coordinating an experienced response team.

Progent has a range of services for protecting organizations from ransomware events. These include team member education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with machine learning technology from SentinelOne to detect and disable day-zero cyber attacks intelligently. Progent also offers the services of experienced crypto-ransomware recovery consultants with the talent and perseverance to restore a breached environment as soon as possible.

Progent's Crypto-Ransomware Recovery Services
Following a ransomware penetration, sending the ransom in cryptocurrency does not guarantee that distant criminals will provide the needed keys to decrypt any of your files. Kaspersky Labs ascertained that seventeen percent of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the average ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the essential elements of your IT environment. Without access to essential information backups, this calls for a wide range of IT skills, well-coordinated team management, and the ability to work continuously until the recovery project is completed.

For decades, Progent has made available certified expert IT services for companies in Salt Lake City and across the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have garnered internationally-renowned industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP application software. This breadth of experience gives Progent the ability to efficiently ascertain important systems and re-organize the remaining pieces of your IT environment after a ransomware event and configure them into a functioning network.

Progent's security group deploys state-of-the-art project management applications to orchestrate the sophisticated restoration process. Progent knows the importance of acting quickly and in concert with a client's management and IT resources to prioritize tasks and to get key systems back on line as fast as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Penetration Response
A small business escalated to Progent after their network was crashed by the Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored cybercriminals, suspected of adopting strategies exposed from America�s NSA organization. Ryuk attacks specific companies with little ability to sustain disruption and is one of the most profitable iterations of ransomware malware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer located in the Chicago metro area with about 500 workers. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. The majority of the client's information backups had been directly accessible at the beginning of the attack and were eventually encrypted. The client was pursuing financing for paying the ransom (exceeding $200,000) and praying for the best, but ultimately engaged Progent.


"I cannot thank you enough about the expertise Progent gave us during the most stressful time of (our) company�s life. We had little choice but to pay the hackers behind this attack except for the confidence the Progent experts afforded us. That you were able to get our e-mail system and critical applications back on-line quicker than a week was incredible. Each staff member I got help from or texted at Progent was laser focused on getting us back on-line and was working day and night to bail us out."

Progent worked hand in hand the customer to rapidly get our arms around and assign priority to the critical elements that needed to be recovered in order to continue company operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting/MRP
To get going, Progent followed Anti-virus event response best practices by isolating and cleaning up infected systems. Progent then began the work of restoring Active Directory, the core of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without Windows AD, and the businesses� financials and MRP system leveraged Microsoft SQL, which depends on Windows AD for authentication to the information.

Within two days, Progent was able to rebuild Active Directory services to its pre-attack state. Progent then accomplished setup and hard drive recovery of mission critical servers. All Microsoft Exchange Server ties and configuration information were intact, which facilitated the rebuild of Exchange. Progent was also able to locate local OST files (Outlook Email Off-Line Data Files) on user desktop computers and laptops to recover mail messages. A recent off-line backup of the client's accounting/MRP systems made them able to return these vital applications back available to users. Although a large amount of work was left to recover totally from the Ryuk event, the most important systems were restored quickly:


"For the most part, the production operation showed little impact and we made all customer shipments."

Over the following couple of weeks key milestones in the recovery project were made through close cooperation between Progent team members and the client:

  • Self-hosted web sites were returned to operation with no loss of information.
  • The MailStore Server exceeding 4 million historical emails was brought online and available for users.
  • CRM/Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory Control capabilities were 100% recovered.
  • A new Palo Alto Networks 850 firewall was set up.
  • Most of the user workstations were functioning as before the incident.

"Much of what occurred in the early hours is mostly a haze for me, but I will not soon forget the care each and every one of your team put in to help get our company back. I�ve utilized Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This time was no exception but maybe more Herculean."

Conclusion
A probable business-killing catastrophe was averted with dedicated experts, a broad range of subject matter expertise, and close collaboration. Although in hindsight the ransomware virus attack detailed here should have been shut down with advanced security solutions and recognized best practices, staff training, and appropriate security procedures for information backup and proper patching controls, the reality is that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware penetration, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (and any others that were helping), thank you for making it so I could get rested after we made it through the initial push. All of you did an fabulous effort, and if any of your team is around the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, please click:
Progent's Crypto-Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers companies in Salt Lake City a range of remote monitoring and security evaluation services designed to assist you to minimize the threat from ransomware. These services utilize next-generation machine learning technology to uncover zero-day variants of ransomware that are able to get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's cutting edge behavior analysis technology to guard physical and virtual endpoint devices against modern malware attacks such as ransomware and email phishing, which easily evade legacy signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a single platform to manage the complete threat lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical and virtual servers, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies packaged within a single agent managed from a unified control. Progent's data protection and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that helps you achieve and demonstrate compliance with government and industry data protection standards. Progent will help you define and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for urgent action. Progent's consultants can also help your company to install and verify a backup and disaster recovery system like ProSight Data Protection Services so you can get back in business quickly from a destructive security attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services (DPS), a selection of offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and enable non-disruptive backup and rapid recovery of important files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss resulting from equipment breakdown, natural disasters, fire, malware such as ransomware, user error, malicious employees, or software glitches. Managed services available in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent consultant can assist you to determine which of these fully managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver centralized control and world-class security for all your inbound and outbound email. The powerful architecture of Progent's Email Guard combines cloud-based filtering with an on-premises security gateway device to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your security perimeter. This reduces your vulnerability to inbound attacks and saves system bandwidth and storage space. Email Guard's onsite security gateway device adds a deeper level of inspection for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that stays within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized organizations to map out, track, enhance and troubleshoot their networking appliances such as switches, firewalls, and access points plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that network maps are kept updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and generates alerts when potential issues are discovered. By automating tedious network management processes, WAN Watch can cut hours off ordinary tasks such as network mapping, expanding your network, finding appliances that require critical updates, or identifying the cause of performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring service that uses advanced remote monitoring and management (RMM) technology to keep your IT system operating efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch detects a problem, an alert is transmitted automatically to your specified IT management staff and your assigned Progent consultant so that all potential issues can be addressed before they can disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a protected Tier III data center on a fast virtual host set up and managed by Progent's network support professionals. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS software, and the apps. Because the system is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, your business is not tied one hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data about your network infrastructure, procedures, business apps, and services. You can instantly locate passwords or IP addresses and be warned automatically about impending expirations of SSL certificates ,domains or warranties. By updating and managing your IT infrastructure documentation, you can eliminate up to half of time wasted searching for critical information about your network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents required for managing your business network such as standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether youre making improvements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the data you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection managed service that incorporates cutting edge behavior analysis tools to defend endpoints and physical and virtual servers against modern malware attacks such as ransomware and file-less exploits, which easily evade legacy signature-based AV tools. Progent ASM services protect on-premises and cloud-based resources and provides a unified platform to manage the entire malware attack lifecycle including filtering, detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Read more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Help Desk: Help Desk Managed Services
    Progent's Call Desk managed services allow your IT team to outsource Help Desk services to Progent or divide activity for support services seamlessly between your in-house support staff and Progent's extensive pool of certified IT service technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a transparent supplement to your core IT support team. User access to the Help Desk, delivery of support, issue escalation, trouble ticket generation and tracking, performance metrics, and maintenance of the service database are consistent whether issues are taken care of by your in-house support organization, by Progent's team, or a mix of the two. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for patch management provide organizations of all sizes a flexible and cost-effective alternative for evaluating, testing, scheduling, implementing, and tracking updates to your dynamic IT network. In addition to maximizing the protection and reliability of your computer network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business projects and tasks that derive maximum business value from your information network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Google Android, and other personal devices. Using 2FA, whenever you sign into a protected application and give your password you are requested to verify your identity on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A wide range of devices can be utilized as this added form of authentication including a smartphone or wearable, a hardware/software token, a landline phone, etc. You can register multiple validation devices. To find out more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services.
For 24/7/365 Salt Lake City Crypto Removal Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.