Ransomware : Your Worst IT Nightmare
Ransomware  Remediation ExpertsRansomware has become an escalating cyberplague that presents an extinction-level danger for businesses of all sizes unprepared for an assault. Different iterations of crypto-ransomware such as Reveton, CryptoWall, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for a long time and still cause destruction. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, as well as frequent as yet unnamed viruses, not only do encryption of on-line information but also infiltrate many accessible system backups. Files replicated to off-site disaster recovery sites can also be rendered useless. In a poorly architected system, it can render automatic recovery impossible and effectively sets the datacenter back to zero.

Restoring services and information after a ransomware event becomes a race against the clock as the victim struggles to contain the damage and clear the crypto-ransomware and to restore business-critical activity. Due to the fact that ransomware takes time to replicate, attacks are frequently launched on weekends and holidays, when penetrations are likely to take more time to recognize. This multiplies the difficulty of promptly marshalling and coordinating an experienced response team.

Progent provides an assortment of support services for securing enterprises from ransomware events. These include staff training to help identify and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with deployment of the latest generation security gateways with AI capabilities from SentinelOne to detect and suppress new cyber attacks intelligently. Progent in addition offers the services of experienced ransomware recovery consultants with the talent and commitment to re-deploy a compromised environment as quickly as possible.

Progent's Ransomware Recovery Services
Soon after a ransomware event, paying the ransom in Bitcoin cryptocurrency does not guarantee that merciless criminals will respond with the needed keys to decrypt all your information. Kaspersky Labs ascertained that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The gamble is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly above the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to setup from scratch the essential components of your Information Technology environment. Absent access to complete information backups, this requires a broad complement of IT skills, top notch team management, and the capability to work 24x7 until the recovery project is completed.

For decades, Progent has offered professional IT services for companies in Houston and across the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained top certifications in important technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cybersecurity specialists have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of expertise affords Progent the capability to knowledgably ascertain important systems and re-organize the remaining parts of your Information Technology system after a ransomware penetration and rebuild them into an operational system.

Progent's security group has best of breed project management tools to orchestrate the complicated recovery process. Progent understands the importance of working rapidly and in concert with a client's management and Information Technology resources to assign priority to tasks and to get essential services back on line as soon as possible.

Client Case Study: A Successful Ransomware Penetration Restoration
A business hired Progent after their organization was penetrated by Ryuk ransomware. Ryuk is thought to have been created by North Korean state sponsored cybercriminals, suspected of adopting strategies leaked from the U.S. National Security Agency. Ryuk targets specific businesses with little or no tolerance for disruption and is among the most profitable versions of ransomware. Major victims include Data Resolution, a California-based data warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a single-location manufacturer located in Chicago with about 500 staff members. The Ryuk event had shut down all business operations and manufacturing capabilities. Most of the client's backups had been online at the time of the intrusion and were encrypted. The client was actively seeking loans for paying the ransom demand (exceeding $200K) and hoping for the best, but in the end engaged Progent.


"I can't say enough about the expertise Progent gave us during the most stressful time of (our) businesses existence. We would have paid the cyber criminals if not for the confidence the Progent experts provided us. The fact that you could get our e-mail system and key applications back online faster than five days was something I thought impossible. Every single staff member I talked with or messaged at Progent was totally committed on getting us back online and was working at all hours on our behalf."

Progent worked with the client to rapidly determine and prioritize the critical applications that had to be addressed to make it possible to restart business operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To begin, Progent adhered to Anti-virus penetration response best practices by halting lateral movement and clearing infected systems. Progent then began the work of rebuilding Active Directory, the heart of enterprise environments built upon Microsoft Windows technology. Microsoft Exchange messaging will not operate without Windows AD, and the client's MRP applications utilized Microsoft SQL, which requires Active Directory for security authorization to the information.

In less than 48 hours, Progent was able to restore Active Directory services to its pre-virus state. Progent then assisted with setup and hard drive recovery of needed systems. All Microsoft Exchange Server ties and configuration information were usable, which greatly helped the rebuild of Exchange. Progent was able to assemble intact OST files (Microsoft Outlook Offline Data Files) on team workstations in order to recover mail data. A not too old off-line backup of the customer's accounting/ERP systems made them able to restore these vital services back on-line. Although major work needed to be completed to recover completely from the Ryuk attack, core services were restored quickly:


"For the most part, the production operation showed little impact and we produced all customer deliverables."

Over the following few weeks critical milestones in the recovery project were accomplished through close cooperation between Progent consultants and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Server exceeding four million archived emails was brought online and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables (AR)/Inventory Control capabilities were 100 percent operational.
  • A new Palo Alto Networks 850 firewall was installed and configured.
  • Nearly all of the desktop computers were operational.

"A huge amount of what transpired those first few days is mostly a blur for me, but my management will not soon forget the countless hours each of your team put in to give us our company back. I have trusted Progent for the past 10 years, possibly more, and every time Progent has outperformed my expectations and delivered as promised. This event was a life saver."

Conclusion
A likely business-ending disaster was avoided due to top-tier professionals, a wide array of technical expertise, and tight collaboration. Although in analyzing the event afterwards the ransomware virus attack described here would have been disabled with advanced security systems and recognized best practices, user and IT administrator education, and appropriate incident response procedures for backup and proper patching controls, the reality remains that government-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do get hit by a ransomware incident, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus blocking, cleanup, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others that were involved), thank you for letting me get rested after we made it over the initial fire. All of you did an incredible effort, and if anyone is in the Chicago area, a great meal is on me!"

To review or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Houston a variety of remote monitoring and security assessment services designed to assist you to minimize the threat from crypto-ransomware. These services include next-generation machine learning technology to uncover new strains of ransomware that are able to evade legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior-based machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which easily evade legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects on-premises and cloud resources and provides a single platform to address the entire malware attack lifecycle including filtering, infiltration detection, containment, remediation, and forensics. Top features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and virtual machines, desktops, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and reacting to security assaults from all vectors. ProSight ESP offers firewall protection, penetration alerts, endpoint control, and web filtering via leading-edge tools packaged within one agent managed from a unified console. Progent's data protection and virtualization experts can assist your business to plan and configure a ProSight ESP deployment that meets your company's specific requirements and that helps you demonstrate compliance with legal and industry information security regulations. Progent will help you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that call for immediate attention. Progent can also help your company to install and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with leading backup/restore technology companies to create ProSight Data Protection Services (DPS), a selection of management outsourcing plans that deliver backup-as-a-service (BaaS). ProSight DPS products manage and monitor your backup processes and enable transparent backup and rapid recovery of vital files, applications, images, plus VMs. ProSight DPS helps you recover from data loss caused by equipment breakdown, natural disasters, fire, malware like ransomware, human error, ill-intentioned insiders, or software bugs. Managed backup services available in the ProSight DPS product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the technology of leading information security companies to deliver web-based management and comprehensive security for all your email traffic. The hybrid structure of Email Guard managed service integrates cloud-based filtering with an on-premises gateway appliance to provide advanced defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-based threats. The cloud filter serves as a preliminary barricade and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external threats and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a further level of analysis for incoming email. For outgoing email, the local gateway offers anti-virus and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Exchange Server to track and safeguard internal email that stays within your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, track, optimize and troubleshoot their networking appliances like routers and switches, firewalls, and load balancers as well as servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that network diagrams are always current, copies and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can cut hours off common chores like making network diagrams, reconfiguring your network, locating devices that require important software patches, or identifying the cause of performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that incorporates state-of-the-art remote monitoring and management techniques to help keep your network operating efficiently by tracking the health of critical assets that drive your information system. When ProSight LAN Watch uncovers an issue, an alert is transmitted automatically to your specified IT staff and your Progent consultant so that any looming issues can be addressed before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a protected fault tolerant data center on a high-performance virtual host configured and maintained by Progent's network support experts. With Progent's ProSight Virtual Hosting model, the customer owns the data, the OS platforms, and the apps. Because the system is virtualized, it can be ported easily to a different hosting solution without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not tied one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information about your IT infrastructure, procedures, applications, and services. You can instantly find passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By cleaning up and managing your IT infrastructure documentation, you can eliminate as much as half of time thrown away searching for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents related to managing your business network such as standard operating procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for collecting and associating IT data. Whether you're making enhancements, performing maintenance, or responding to a crisis, ProSight IT Asset Management gets you the knowledge you require when you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that incorporates cutting edge behavior analysis technology to guard endpoints and physical and virtual servers against modern malware attacks such as ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and provides a single platform to automate the complete threat progression including blocking, detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new threats. Learn more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Service Center: Help Desk Managed Services
    Progent's Support Center managed services enable your information technology team to outsource Support Desk services to Progent or split activity for support services transparently between your in-house network support staff and Progent's extensive roster of certified IT service engineers and subject matter experts. Progent's Shared Service Desk offers a seamless extension of your internal IT support team. Client access to the Help Desk, delivery of support services, issue escalation, trouble ticket generation and updates, efficiency measurement, and management of the service database are consistent regardless of whether incidents are resolved by your core IT support organization, by Progent's team, or by a combination. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a flexible and affordable solution for assessing, testing, scheduling, applying, and documenting updates to your dynamic information network. In addition to maximizing the protection and functionality of your IT environment, Progent's software/firmware update management services allow your IT team to focus on line-of-business projects and tasks that derive maximum business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo MFA service plans incorporate Cisco's Duo cloud technology to protect against compromised passwords by using two-factor authentication. Duo supports one-tap identity verification on Apple iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured application and give your password you are asked to confirm who you are via a device that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second form of authentication including a smartphone or wearable, a hardware token, a landline phone, etc. You can designate several validation devices. To find out more about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing line of real-time reporting utilities designed to integrate with the industry's top ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize key issues such as spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, reduces management overhead, and saves money. For more information, see ProSight Reporting for ticketing and network monitoring applications.
For Houston 24/7/365 Crypto-Ransomware Repair Experts, reach out to Progent at 800-462-8800 or go to Contact Progent.