Ransomware : Your Crippling IT Nightmare
Crypto-Ransomware  Recovery ProfessionalsRansomware has become a modern cyberplague that presents an existential threat for businesses of all sizes poorly prepared for an attack. Different versions of ransomware like the CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause destruction. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, plus additional as yet unnamed viruses, not only encrypt on-line data but also infiltrate many accessible system backup. Information replicated to the cloud can also be ransomed. In a poorly designed data protection solution, it can make automated restore operations impossible and basically knocks the datacenter back to zero.

Recovering programs and data following a ransomware event becomes a sprint against time as the targeted organization fights to stop the spread and eradicate the ransomware and to resume enterprise-critical activity. Because ransomware requires time to spread, penetrations are usually launched at night, when attacks typically take more time to detect. This multiplies the difficulty of rapidly mobilizing and organizing a qualified response team.

Progent has a range of solutions for protecting businesses from ransomware attacks. Among these are staff education to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security appliances with artificial intelligence technology from SentinelOne to identify and extinguish day-zero cyber attacks automatically. Progent in addition provides the services of veteran ransomware recovery engineers with the skills and commitment to restore a compromised system as urgently as possible.

Progent's Ransomware Recovery Services
Subsequent to a crypto-ransomware attack, even paying the ransom demands in Bitcoin cryptocurrency does not ensure that cyber criminals will return the needed keys to decrypt any or all of your files. Kaspersky Labs estimated that seventeen percent of ransomware victims never restored their data even after having sent off the ransom, resulting in increased losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the average crypto-ransomware demands, which ZDNET determined to be in the range of $13,000. The alternative is to setup from scratch the mission-critical elements of your Information Technology environment. Without access to complete system backups, this calls for a wide complement of skill sets, top notch team management, and the capability to work 24x7 until the recovery project is finished.

For decades, Progent has made available expert Information Technology services for businesses in Vacaville and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top industry certifications in important technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security engineers have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of experience gives Progent the ability to rapidly determine important systems and re-organize the remaining components of your IT system after a ransomware attack and assemble them into a functioning network.

Progent's security group deploys top notch project management tools to orchestrate the sophisticated recovery process. Progent understands the urgency of working rapidly and in concert with a client's management and IT staff to assign priority to tasks and to get the most important applications back online as soon as possible.

Client Case Study: A Successful Ransomware Attack Restoration
A client contacted Progent after their network was crashed by Ryuk ransomware. Ryuk is thought to have been developed by Northern Korean state hackers, possibly adopting technology exposed from the United States NSA organization. Ryuk targets specific companies with little room for disruption and is one of the most lucrative versions of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area and has about 500 workers. The Ryuk attack had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been online at the time of the attack and were destroyed. The client considered paying the ransom demand (exceeding $200,000) and hoping for good luck, but in the end reached out to Progent.


"I can�t speak enough about the expertise Progent gave us during the most critical period of (our) businesses life. We may have had to pay the cyber criminals if it wasn�t for the confidence the Progent team gave us. That you were able to get our e-mail system and important applications back online quicker than seven days was earth shattering. Each consultant I worked with or texted at Progent was absolutely committed on getting us back on-line and was working day and night to bail us out."

Progent worked hand in hand the customer to quickly identify and prioritize the mission critical applications that needed to be restored to make it possible to resume departmental functions:

  • Windows Active Directory
  • Email
  • Accounting and Manufacturing Software
To start, Progent followed ransomware event mitigation industry best practices by halting lateral movement and clearing up compromised systems. Progent then began the steps of recovering Windows Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange email will not work without Active Directory, and the client's accounting and MRP applications used SQL Server, which depends on Active Directory services for authentication to the information.

Within two days, Progent was able to rebuild Windows Active Directory to its pre-attack state. Progent then initiated reinstallations and storage recovery of critical servers. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to collect local OST files (Outlook Off-Line Folder Files) on various desktop computers and laptops to recover email data. A not too old offline backup of the client's financials/ERP software made them able to restore these required services back available to users. Although major work needed to be completed to recover fully from the Ryuk virus, critical systems were returned to operations rapidly:


"For the most part, the manufacturing operation never missed a beat and we produced all customer deliverables."

Throughout the next month critical milestones in the recovery process were achieved in close cooperation between Progent consultants and the client:

  • In-house web sites were restored with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding 4 million archived emails was brought on-line and available for users.
  • CRM/Customer Orders/Invoices/Accounts Payable/Accounts Receivables/Inventory modules were fully functional.
  • A new Palo Alto 850 security appliance was installed.
  • Nearly all of the user desktops were operational.

"So much of what happened that first week is mostly a fog for me, but my team will not soon forget the countless hours each and every one of your team accomplished to help get our company back. I have been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This event was a stunning achievement."

Conclusion
A likely business-killing catastrophe was averted due to hard-working professionals, a wide range of technical expertise, and close collaboration. Although in retrospect the ransomware virus penetration described here should have been shut down with modern security solutions and NIST Cybersecurity Framework best practices, staff training, and well thought out incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored cybercriminals from Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do fall victim to a ransomware penetration, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus defense, mitigation, and data disaster recovery.


"So, to Darrin, Matt, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were involved), I�m grateful for letting me get rested after we got over the most critical parts. All of you did an amazing job, and if anyone is in the Chicago area, dinner is my treat!"

To review or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent offers businesses in Vacaville a portfolio of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services incorporate modern machine learning technology to detect zero-day strains of ransomware that are able to escape detection by legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which routinely get by legacy signature-based anti-virus products. ProSight ASM protects local and cloud resources and provides a unified platform to address the entire threat lifecycle including protection, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Progent is a certified SentinelOne Partner. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) services offer ultra-affordable multi-layer security for physical and virtual servers, workstations, smartphones, and Exchange email. ProSight ESP utilizes contextual security and advanced heuristics for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device control, and web filtering through leading-edge technologies packaged within one agent accessible from a unified control. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP environment that addresses your organization's unique needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and configure policies that ProSight ESP will enforce, and Progent will monitor your network and react to alerts that require immediate attention. Progent can also help your company to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology providers to create ProSight Data Protection Services, a selection of subscription-based management offerings that deliver backup-as-a-service. ProSight DPS products manage and track your backup processes and allow transparent backup and rapid restoration of vital files, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business avoid data loss caused by equipment failures, natural calamities, fire, malware such as ransomware, user error, malicious employees, or application bugs. Managed backup services in the ProSight DPS portfolio include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight ECHO Backup based on Barracuda dedicated storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent expert can help you to determine which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security companies to deliver web-based management and world-class protection for all your email traffic. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with an on-premises gateway appliance to provide complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. The cloud filter acts as a first line of defense and blocks most unwanted email from reaching your security perimeter. This reduces your vulnerability to inbound threats and conserves system bandwidth and storage space. Email Guard's on-premises gateway device adds a further layer of analysis for incoming email. For outbound email, the local security gateway provides anti-virus and anti-spam protection, protection against data leaks, and email encryption. The onsite gateway can also assist Microsoft Exchange Server to track and safeguard internal email traffic that stays within your corporate firewall. For more information, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progents ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for small and mid-sized businesses to map out, track, enhance and debug their networking appliances such as routers, firewalls, and access points plus servers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch makes sure that infrastructure topology diagrams are always current, captures and manages the configuration information of almost all devices connected to your network, tracks performance, and sends notices when problems are detected. By automating complex management and troubleshooting activities, WAN Watch can knock hours off ordinary chores such as network mapping, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progents server and desktop monitoring managed service that incorporates advanced remote monitoring and management technology to keep your IT system running at peak levels by tracking the health of vital computers that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT staff and your Progent engineering consultant so any looming issues can be resolved before they have a chance to disrupt productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its key servers and applications hosted in a protected fault tolerant data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the operating system software, and the applications. Since the environment is virtualized, it can be moved easily to an alternate hardware solution without requiring a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard data about your IT infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can save as much as half of time wasted trying to find critical information about your network. ProSight IT Asset Management features a common repository for storing and collaborating on all documents required for managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for gathering and relating IT data. Whether youre making enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior machine learning tools to defend endpoint devices as well as physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus products. Progent Active Security Monitoring services safeguard local and cloud resources and offers a unified platform to automate the entire threat progression including protection, infiltration detection, containment, cleanup, and post-attack forensics. Top features include single-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Call Center services allow your IT team to outsource Support Desk services to Progent or divide activity for Service Desk support transparently between your in-house support team and Progent's extensive roster of IT support engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a transparent extension of your internal support staff. Client interaction with the Help Desk, provision of technical assistance, problem escalation, trouble ticket creation and updates, performance metrics, and management of the service database are cohesive whether issues are resolved by your core IT support organization, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of all sizes a versatile and affordable solution for evaluating, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the protection and functionality of your computer environment, Progent's patch management services allow your in-house IT staff to focus on line-of-business projects and activities that deliver maximum business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Protected Single Sign-on (SSO)
    Progent's Duo MFA managed services incorporate Cisco's Duo cloud technology to protect against stolen passwords through the use of two-factor authentication. Duo enables single-tap identity confirmation with Apple iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a protected application and give your password you are asked to confirm who you are on a device that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be used for this second means of authentication such as a smartphone or watch, a hardware/software token, a landline telephone, etc. You may designate several validation devices. For details about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication services for access security.
For Vacaville 24-7 Crypto-Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.