Ransomware : Your Crippling IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an existential danger for organizations vulnerable to an assault. Versions of ransomware like the CrySIS, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict harm. The latest strains of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Egregor, along with frequent unnamed malware, not only encrypt on-line files but also infiltrate many available system backups. Files synched to off-site disaster recovery sites can also be corrupted. In a poorly designed environment, it can render automatic restoration useless and basically sets the network back to zero.

Getting back online applications and information following a crypto-ransomware event becomes a sprint against the clock as the targeted business tries its best to stop lateral movement and cleanup the virus and to resume enterprise-critical activity. Because ransomware takes time to move laterally, penetrations are frequently launched on weekends, when successful penetrations in many cases take longer to identify. This compounds the difficulty of quickly marshalling and orchestrating a capable mitigation team.

Progent offers a range of services for securing organizations from crypto-ransomware penetrations. These include staff education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of next-generation security appliances with AI capabilities from SentinelOne to discover and disable new cyber attacks intelligently. Progent also can provide the assistance of veteran crypto-ransomware recovery professionals with the skills and commitment to reconstruct a breached environment as soon as possible.

Progent's Ransomware Recovery Help
Subsequent to a ransomware event, sending the ransom in Bitcoin cryptocurrency does not ensure that cyber criminals will respond with the needed codes to unencrypt all your files. Kaspersky Labs determined that 17% of ransomware victims never restored their files even after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to piece back together the critical elements of your IT environment. Without the availability of complete information backups, this requires a broad range of skill sets, professional team management, and the ability to work non-stop until the recovery project is done.

For decades, Progent has offered professional Information Technology services for businesses in Salt Lake City and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes consultants who have attained top certifications in leading technologies including Microsoft, Cisco, VMware, and major distros of Linux. Progent's cybersecurity engineers have garnered internationally-recognized certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent in addition has expertise in financial management and ERP applications. This breadth of experience gives Progent the ability to efficiently identify important systems and consolidate the surviving parts of your computer network environment after a crypto-ransomware attack and rebuild them into a functioning network.

Progent's recovery group utilizes state-of-the-art project management applications to coordinate the complicated recovery process. Progent understands the urgency of working rapidly and in unison with a customer's management and Information Technology resources to assign priority to tasks and to get key services back online as fast as possible.

Customer Case Study: A Successful Ransomware Intrusion Restoration
A customer hired Progent after their organization was crashed by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored criminal gangs, possibly using technology leaked from the U.S. National Security Agency. Ryuk seeks specific organizations with little tolerance for operational disruption and is among the most lucrative versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a single-location manufacturing company headquartered in Chicago with about 500 staff members. The Ryuk penetration had brought down all essential operations and manufacturing capabilities. The majority of the client's system backups had been on-line at the beginning of the attack and were destroyed. The client considered paying the ransom (in excess of $200K) and praying for good luck, but ultimately reached out to Progent.


"I cannot say enough in regards to the help Progent gave us during the most stressful period of (our) company's survival. We had little choice but to pay the criminal gangs except for the confidence the Progent group gave us. That you could get our e-mail system and important servers back online faster than one week was something I thought impossible. Each consultant I interacted with or e-mailed at Progent was urgently focused on getting our company operational and was working 24/7 on our behalf."

Progent worked hand in hand the client to quickly identify and assign priority to the mission critical systems that needed to be addressed to make it possible to continue departmental functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To begin, Progent adhered to AV/Malware Processes event mitigation industry best practices by isolating and performing virus removal steps. Progent then initiated the task of recovering Microsoft Active Directory, the foundation of enterprise networks built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the businesses' MRP software utilized Microsoft SQL, which needs Active Directory for security authorization to the data.

In less than 2 days, Progent was able to re-build Active Directory services to its pre-virus state. Progent then initiated rebuilding and storage recovery on critical servers. All Microsoft Exchange Server data and attributes were usable, which greatly helped the restore of Exchange. Progent was also able to assemble intact OST data files (Outlook Offline Data Files) on various desktop computers and laptops in order to recover mail data. A recent off-line backup of the customer's accounting/MRP software made it possible to restore these essential programs back on-line. Although significant work still had to be done to recover completely from the Ryuk event, critical systems were restored rapidly:


"For the most part, the assembly line operation never missed a beat and we did not miss any customer deliverables."

During the following couple of weeks important milestones in the recovery process were completed in close collaboration between Progent team members and the customer:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Server exceeding four million archived emails was spun up and available for users.
  • CRM/Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control functions were fully operational.
  • A new Palo Alto Networks 850 security appliance was set up.
  • 90% of the user workstations were being used by staff.

"Much of what was accomplished during the initial response is nearly entirely a haze for me, but I will not forget the commitment all of your team accomplished to help get our business back. I have utilized Progent for the past ten years, possibly more, and each time Progent has shined and delivered as promised. This event was the most impressive ever."

Conclusion
A probable business-killing disaster was evaded with dedicated experts, a wide array of IT skills, and tight collaboration. Although in retrospect the ransomware virus penetration detailed here could have been identified and disabled with current cyber security technology and ISO/IEC 27001 best practices, staff training, and appropriate security procedures for information backup and applying software patches, the fact is that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware penetration, feel confident that Progent's roster of experts has substantial experience in crypto-ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were involved), I'm grateful for letting me get rested after we got past the most critical parts. Everyone did an amazing job, and if anyone that helped is in the Chicago area, a great meal is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide companies in Salt Lake City a portfolio of remote monitoring and security evaluation services designed to help you to reduce the threat from ransomware. These services utilize modern machine learning technology to detect zero-day variants of ransomware that can escape detection by legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) service that utilizes SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily get by traditional signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud resources and offers a single platform to manage the entire malware attack lifecycle including blocking, identification, containment, cleanup, and post-attack forensics. Key capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection managed services offer ultra-affordable multi-layer security for physical servers and VMs, workstations, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, intrusion alerts, device control, and web filtering via leading-edge tools incorporated within a single agent managed from a unified control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that meets your company's specific requirements and that allows you demonstrate compliance with government and industry data protection regulations. Progent will assist you define and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alerts that require urgent attention. Progent can also help your company to install and test a backup and disaster recovery solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with advanced backup technology providers to produce ProSight Data Protection Services (DPS), a family of subscription-based offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup operations and enable transparent backup and rapid recovery of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss caused by hardware failures, natural disasters, fire, malware such as ransomware, human mistakes, malicious insiders, or software glitches. Managed backup services available in the ProSight DPS product family include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent expert can help you to determine which of these managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that incorporates the infrastructure of top data security companies to provide centralized control and comprehensive security for all your inbound and outbound email. The powerful architecture of Email Guard integrates cloud-based filtering with a local security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from reaching your network firewall. This decreases your exposure to inbound threats and conserves network bandwidth and storage. Email Guard's on-premises gateway appliance provides a further level of analysis for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Microsoft Exchange Server to monitor and safeguard internal email that stays within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, monitor, enhance and troubleshoot their connectivity appliances such as switches, firewalls, and load balancers as well as servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that network diagrams are always updated, copies and manages the configuration information of almost all devices connected to your network, monitors performance, and generates alerts when issues are detected. By automating tedious management and troubleshooting activities, WAN Watch can cut hours off common chores such as network mapping, expanding your network, locating devices that require critical updates, or resolving performance problems. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management technology to help keep your network operating at peak levels by tracking the state of vital computers that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your designated IT staff and your Progent consultant so that all looming issues can be addressed before they can disrupt productivity. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the apps. Because the system is virtualized, it can be moved immediately to a different hosting solution without requiring a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information about your IT infrastructure, processes, applications, and services. You can quickly find passwords or IP addresses and be warned about upcoming expirations of SSL certificates or warranties. By cleaning up and organizing your IT infrastructure documentation, you can save as much as half of time thrown away trying to find vital information about your network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning enhancements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the information you need as soon as you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based machine learning technology to guard endpoint devices and physical and virtual servers against new malware assaults like ransomware and email phishing, which easily evade traditional signature-matching anti-virus products. Progent Active Security Monitoring services safeguard on-premises and cloud-based resources and provides a single platform to address the complete malware attack progression including blocking, detection, mitigation, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against new attacks. Read more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Support Desk services allow your IT group to outsource Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your internal network support resources and Progent's extensive pool of IT service technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a transparent supplement to your in-house IT support staff. End user interaction with the Service Desk, provision of support services, issue escalation, trouble ticket generation and tracking, performance metrics, and management of the service database are consistent regardless of whether issues are taken care of by your internal network support resources, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for software and firmware patch management provide organizations of any size a versatile and cost-effective alternative for assessing, validating, scheduling, applying, and tracking updates to your dynamic IT network. Besides optimizing the protection and reliability of your computer network, Progent's patch management services free up time for your in-house IT team to concentrate on line-of-business initiatives and activities that derive maximum business value from your network. Find out more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication services incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo supports single-tap identity verification on Apple iOS, Google Android, and other out-of-band devices. With Duo 2FA, when you log into a protected application and enter your password you are asked to verify who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of devices can be used for this second form of ID validation including an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may designate several validation devices. For details about ProSight Duo two-factor identity authentication services, visit Duo MFA two-factor authentication services for access security.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing suite of real-time and in-depth reporting utilities designed to integrate with the industry's top ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-up or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, reduces management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For 24-Hour Salt Lake City Crypto Remediation Help, contact Progent at 800-462-8800 or go to Contact Progent.