Ransomware : Your Feared IT Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become an escalating cyber pandemic that presents an enterprise-level threat for businesses unprepared for an assault. Versions of crypto-ransomware such as Dharma, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for many years and still inflict havoc. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with more unnamed newcomers, not only encrypt on-line critical data but also infiltrate most configured system protection mechanisms. Files synched to cloud environments can also be rendered useless. In a poorly architected data protection solution, it can render any restore operations hopeless and basically knocks the network back to zero.

Getting back online programs and data following a ransomware outage becomes a race against time as the victim struggles to contain and eradicate the crypto-ransomware and to resume business-critical activity. Due to the fact that crypto-ransomware needs time to replicate, attacks are frequently sprung during nights and weekends, when successful attacks are likely to take longer to discover. This multiplies the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent has a range of services for securing enterprises from ransomware attacks. Among these are user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of next-generation security appliances with machine learning technology from SentinelOne to discover and quarantine new threats automatically. Progent in addition provides the assistance of expert crypto-ransomware recovery engineers with the skills and commitment to restore a breached environment as urgently as possible.

Progent's Ransomware Recovery Help
After a crypto-ransomware event, sending the ransom in cryptocurrency does not provide any assurance that cyber criminals will return the needed codes to decrypt any of your files. Kaspersky estimated that seventeen percent of ransomware victims never restored their information even after having paid the ransom, resulting in increased losses. The risk is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to setup from scratch the vital elements of your IT environment. Absent the availability of complete system backups, this requires a wide range of skill sets, well-coordinated project management, and the ability to work 24x7 until the task is over.

For decades, Progent has made available expert Information Technology services for companies in Salt Lake City and throughout the U.S. and has achieved Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have attained top industry certifications in leading technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security experts have garnered internationally-recognized industry certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP software solutions. This breadth of experience affords Progent the capability to quickly understand important systems and consolidate the remaining components of your IT system after a ransomware penetration and configure them into an operational network.

Progent's ransomware team has top notch project management tools to coordinate the sophisticated restoration process. Progent understands the importance of working quickly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to put key applications back online as fast as humanly possible.

Customer Story: A Successful Crypto-Ransomware Incident Recovery
A business hired Progent after their company was penetrated by Ryuk ransomware. Ryuk is generally considered to have been deployed by North Korean government sponsored hackers, possibly using technology leaked from America's NSA organization. Ryuk attacks specific organizations with limited tolerance for disruption and is among the most lucrative versions of ransomware malware. High publicized victims include Data Resolution, a California-based data warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturing company based in Chicago and has around 500 staff members. The Ryuk intrusion had shut down all business operations and manufacturing processes. The majority of the client's data protection had been online at the beginning of the attack and were eventually encrypted. The client was actively seeking loans for paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.


"I cannot speak enough in regards to the help Progent provided us during the most critical time of (our) company's life. We had little choice but to pay the cyber criminals if not for the confidence the Progent team afforded us. That you were able to get our messaging and production servers back quicker than 1 week was amazing. Every single expert I interacted with or communicated with at Progent was hell bent on getting my company operational and was working 24 by 7 on our behalf."

Progent worked together with the customer to rapidly get our arms around and prioritize the mission critical areas that needed to be restored in order to restart business functions:

  • Active Directory (AD)
  • Microsoft Exchange
  • Financials/MRP
To begin, Progent adhered to ransomware event mitigation best practices by isolating and removing active viruses. Progent then started the process of bringing back online Microsoft Active Directory, the heart of enterprise environments built on Microsoft Windows technology. Exchange email will not operate without AD, and the businesses' financials and MRP system utilized Microsoft SQL, which needs Active Directory services for access to the information.

Within 48 hours, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then initiated rebuilding and storage recovery of needed systems. All Exchange Server data and configuration information were usable, which greatly helped the restore of Exchange. Progent was able to collect intact OST data files (Microsoft Outlook Off-Line Folder Files) on various desktop computers to recover email data. A recent off-line backup of the customer's financials/MRP software made it possible to restore these vital programs back servicing users. Although a lot of work was left to recover completely from the Ryuk damage, essential services were returned to operations quickly:


"For the most part, the assembly line operation was never shut down and we produced all customer sales."

Throughout the next few weeks critical milestones in the recovery process were made in tight cooperation between Progent engineers and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/AR/Inventory Control functions were 100% functional.
  • A new Palo Alto Networks 850 firewall was set up and programmed.
  • Nearly all of the user desktops were fully operational.

"A lot of what happened during the initial response is nearly entirely a fog for me, but we will not forget the urgency each and every one of your team put in to help get our business back. I've entrusted Progent for the past ten years, maybe more, and every time Progent has shined and delivered. This event was a testament to your capabilities."

Conclusion
A possible business-ending catastrophe was averted with dedicated professionals, a broad range of technical expertise, and tight teamwork. Although upon completion of forensics the crypto-ransomware virus penetration detailed here could have been prevented with up-to-date cyber security technology and ISO/IEC 27001 best practices, user and IT administrator training, and appropriate incident response procedures for information protection and keeping systems up to date with security patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's team of experts has proven experience in ransomware virus blocking, mitigation, and file recovery.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), thanks very much for making it so I could get rested after we made it over the initial fire. All of you did an amazing job, and if any of your team is in the Chicago area, a great meal is my treat!"

To read or download a PDF version of this case study, click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide businesses in Salt Lake City a portfolio of online monitoring and security assessment services to help you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence technology to uncover new variants of crypto-ransomware that can escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that incorporates SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based AV tools. ProSight ASM protects local and cloud-based resources and offers a unified platform to manage the entire threat progression including protection, identification, mitigation, remediation, and post-attack forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Filtering
    ProSight Enhanced Security Protection managed services offer affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, device management, and web filtering via leading-edge tools packaged within a single agent managed from a unified control. Progent's security and virtualization experts can assist you to design and implement a ProSight ESP deployment that meets your company's specific needs and that helps you demonstrate compliance with government and industry information security regulations. Progent will assist you specify and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that call for immediate action. Progent's consultants can also assist your company to install and test a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a destructive cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Recovery Services
    Progent has worked with advanced backup technology providers to create ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS products automate and track your data backup operations and allow non-disruptive backup and fast recovery of important files/folders, apps, images, and virtual machines. ProSight DPS helps your business recover from data loss resulting from hardware failures, natural calamities, fire, malware like ransomware, user mistakes, malicious employees, or application bugs. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to determine which of these managed backup services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top data security vendors to deliver web-based management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local gateway device to provide advanced protection against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your security perimeter. This reduces your vulnerability to external threats and conserves system bandwidth and storage. Email Guard's on-premises gateway device adds a deeper level of analysis for inbound email. For outbound email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to track and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map, monitor, reconfigure and debug their connectivity hardware such as routers, firewalls, and wireless controllers plus servers, endpoints and other networked devices. Using state-of-the-art Remote Monitoring and Management technology, ProSight WAN Watch makes sure that network diagrams are kept updated, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating complex management activities, ProSight WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding devices that need critical updates, or resolving performance bottlenecks. Find out more details about ProSight WAN Watch infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network running at peak levels by checking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is sent automatically to your designated IT management staff and your assigned Progent consultant so that all looming issues can be addressed before they can impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a secure Tier III data center on a high-performance virtual host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the operating system platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hardware environment without requiring a lengthy and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, retrieve and protect information related to your network infrastructure, procedures, applications, and services. You can quickly find passwords or IP addresses and be alerted automatically about upcoming expirations of SSL certificates ,domains or warranties. By updating and organizing your IT documentation, you can save up to 50% of time spent looking for vital information about your IT network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're making enhancements, doing regular maintenance, or responding to a crisis, ProSight IT Asset Management delivers the knowledge you need when you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection service that utilizes next generation behavior-based machine learning tools to guard endpoints and servers and VMs against new malware assaults such as ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus products. Progent ASM services protect local and cloud resources and provides a single platform to automate the entire malware attack lifecycle including filtering, identification, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and recovery services.

  • Outsourced/Co-managed Service Center: Call Center Managed Services
    Progent's Help Center managed services allow your IT group to outsource Call Center services to Progent or divide activity for Help Desk services transparently between your in-house support staff and Progent's nationwide pool of certified IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth supplement to your internal IT support team. Client access to the Service Desk, provision of support, problem escalation, ticket creation and updates, performance measurement, and management of the support database are cohesive regardless of whether issues are taken care of by your in-house support group, by Progent, or a mix of the two. Learn more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and affordable solution for evaluating, testing, scheduling, applying, and tracking updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your computer network, Progent's patch management services free up time for your in-house IT team to focus on line-of-business projects and tasks that deliver the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo supports one-tap identity verification with Apple iOS, Android, and other out-of-band devices. Using 2FA, when you sign into a protected online account and give your password you are asked to verify who you are on a unit that only you possess and that uses a different network channel. A broad range of devices can be utilized as this added means of ID validation including a smartphone or wearable, a hardware/software token, a landline telephone, etc. You may designate several verification devices. To learn more about Duo two-factor identity validation services, see Cisco Duo MFA two-factor authentication (2FA) services.
For Salt Lake City 24/7/365 Crypto Repair Help, contact Progent at 800-462-8800 or go to Contact Progent.