Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ProfessionalsRansomware has become an escalating cyber pandemic that represents an existential danger for organizations vulnerable to an assault. Different iterations of ransomware such as Dharma, WannaCry, Bad Rabbit, NotPetya and MongoLock cryptoworms have been around for many years and continue to cause damage. Modern strains of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Nephilim, along with additional as yet unnamed malware, not only do encryption of on-line information but also infiltrate all configured system protection mechanisms. Data synchronized to the cloud can also be rendered useless. In a poorly designed environment, it can render any restoration impossible and effectively knocks the network back to square one.

Getting back online programs and data following a ransomware event becomes a sprint against time as the targeted business struggles to stop the spread and cleanup the ransomware and to restore enterprise-critical activity. Due to the fact that crypto-ransomware takes time to spread, attacks are frequently sprung on weekends and holidays, when penetrations typically take more time to discover. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable response team.

Progent provides an assortment of support services for securing enterprises from crypto-ransomware penetrations. Among these are team education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, in addition to installation of modern security solutions with artificial intelligence capabilities from SentinelOne to discover and quarantine day-zero cyber attacks intelligently. Progent also can provide the services of expert crypto-ransomware recovery engineers with the talent and perseverance to reconstruct a compromised network as quickly as possible.

Progent's Ransomware Restoration Services
After a ransomware penetration, sending the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will provide the needed codes to unencrypt all your files. Kaspersky ascertained that 17% of ransomware victims never recovered their information even after having paid the ransom, resulting in more losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the typical ransomware demands, which ZDNET averages to be approximately $13,000. The fallback is to setup from scratch the vital elements of your Information Technology environment. Without access to full data backups, this requires a wide complement of IT skills, top notch project management, and the ability to work continuously until the recovery project is over.

For twenty years, Progent has offered professional Information Technology services for companies in Vacaville and throughout the U.S. and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have been awarded advanced industry certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cybersecurity consultants have garnered internationally-recognized industry certifications including CISA, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has expertise with financial management and ERP application software. This breadth of experience affords Progent the capability to efficiently ascertain important systems and consolidate the remaining pieces of your computer network system after a ransomware penetration and rebuild them into a functioning network.

Progent's recovery team uses top notch project management systems to coordinate the sophisticated restoration process. Progent understands the importance of working quickly and in unison with a customer's management and Information Technology resources to prioritize tasks and to put key applications back on line as soon as humanly possible.

Client Story: A Successful Ransomware Intrusion Response
A small business hired Progent after their network system was crashed by Ryuk ransomware. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, possibly using techniques leaked from America's National Security Agency. Ryuk goes after specific companies with little tolerance for disruption and is among the most profitable incarnations of ransomware. Major targets include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturing business based in the Chicago metro area with about 500 workers. The Ryuk event had brought down all company operations and manufacturing processes. Most of the client's data backups had been online at the start of the attack and were damaged. The client was evaluating paying the ransom (exceeding two hundred thousand dollars) and praying for good luck, but in the end utilized Progent.


"I can't speak enough about the expertise Progent gave us throughout the most critical time of (our) businesses survival. We most likely would have paid the hackers behind this attack if it wasn't for the confidence the Progent team provided us. That you could get our messaging and critical applications back online sooner than seven days was earth shattering. Each consultant I talked with or e-mailed at Progent was laser focused on getting us back online and was working all day and night on our behalf."

Progent worked with the client to quickly get our arms around and prioritize the key systems that had to be restored in order to continue business functions:

  • Windows Active Directory
  • Electronic Messaging
  • MRP System
To get going, Progent adhered to AV/Malware Processes event mitigation best practices by halting lateral movement and disinfecting systems. Progent then started the work of bringing back online Microsoft Active Directory, the heart of enterprise systems built upon Microsoft technology. Microsoft Exchange messaging will not function without AD, and the client's financials and MRP applications leveraged Microsoft SQL, which needs Active Directory services for security authorization to the information.

Within 2 days, Progent was able to rebuild Active Directory to its pre-attack state. Progent then assisted with setup and storage recovery of mission critical servers. All Exchange data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to collect local OST data files (Outlook Email Off-Line Folder Files) on staff desktop computers to recover email messages. A not too old offline backup of the client's manufacturing systems made it possible to recover these vital applications back on-line. Although a lot of work was left to recover fully from the Ryuk event, core services were returned to operations quickly:


"For the most part, the production line operation did not miss a beat and we delivered all customer orders."

During the following month critical milestones in the restoration project were accomplished through tight cooperation between Progent engineers and the customer:

  • Self-hosted web applications were restored with no loss of data.
  • The MailStore Server containing more than four million historical messages was brought online and accessible to users.
  • CRM/Product Ordering/Invoicing/AP/AR/Inventory Control capabilities were 100% functional.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Ninety percent of the user PCs were back into operation.

"A lot of what went on in the early hours is mostly a haze for me, but I will not soon forget the countless hours each of your team put in to help get our company back. I've been working with Progent for at least 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A potential business-killing catastrophe was avoided with results-oriented professionals, a wide spectrum of knowledge, and close collaboration. Although upon completion of forensics the ransomware virus incident described here would have been identified and stopped with advanced cyber security solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff training, and well thought out incident response procedures for backup and proper patching controls, the fact remains that government-sponsored hackers from Russia, China and elsewhere are relentless and will continue. If you do fall victim to a crypto-ransomware incursion, remember that Progent's team of professionals has a proven track record in crypto-ransomware virus blocking, removal, and file restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were helping), I'm grateful for letting me get rested after we got over the first week. Everyone did an impressive effort, and if any of your team is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer story, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Vacaville a variety of online monitoring and security evaluation services designed to assist you to reduce the threat from ransomware. These services include modern AI capability to uncover zero-day strains of ransomware that are able to get past legacy signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that utilizes SentinelOne's cutting edge behavior machine learning technology to defend physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely evade legacy signature-matching AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a single platform to manage the complete threat progression including blocking, detection, mitigation, remediation, and post-attack forensics. Top features include single-click rollback with Windows VSS and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, dealer, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services deliver affordable multi-layer protection for physical and virtual servers, desktops, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for continuously monitoring and reacting to cyber threats from all vectors. ProSight ESP provides firewall protection, penetration alerts, device management, and web filtering through cutting-edge tools packaged within one agent accessible from a unified control. Progent's security and virtualization consultants can help your business to design and configure a ProSight ESP environment that addresses your organization's specific needs and that allows you demonstrate compliance with government and industry information protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alerts that require urgent action. Progent's consultants can also assist your company to set up and test a backup and restore system like ProSight Data Protection Services so you can recover quickly from a destructive cyber attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to create ProSight Data Protection Services (DPS), a family of management offerings that deliver backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup processes and allow non-disruptive backup and rapid restoration of critical files/folders, apps, images, plus Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment breakdown, natural disasters, fire, cyber attacks such as ransomware, user mistakes, malicious employees, or software glitches. Managed services in the ProSight DPS product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated hardware, and ProSight MSP360 Hybrid Backup. Your Progent expert can help you to identify which of these managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the technology of leading information security vendors to deliver web-based management and world-class protection for your email traffic. The hybrid structure of Email Guard managed service combines a Cloud Protection Layer with an on-premises security gateway device to provide advanced defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-borne threats. The Cloud Protection Layer serves as a preliminary barricade and blocks the vast majority of threats from making it to your network firewall. This decreases your vulnerability to external threats and saves system bandwidth and storage. Email Guard's onsite security gateway appliance adds a further level of inspection for inbound email. For outbound email, the onsite security gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Microsoft Exchange Server to monitor and protect internal email that originates and ends inside your corporate firewall. For more information, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure management service that makes it simple and affordable for smaller organizations to map out, track, reconfigure and debug their connectivity hardware like switches, firewalls, and wireless controllers plus servers, printers, endpoints and other devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are always current, copies and displays the configuration of virtually all devices connected to your network, tracks performance, and generates notices when potential issues are detected. By automating time-consuming management and troubleshooting activities, WAN Watch can cut hours off common tasks such as network mapping, expanding your network, finding devices that require critical software patches, or resolving performance issues. Learn more details about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring managed service that uses advanced remote monitoring and management (RMM) techniques to keep your IT system running at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent automatically to your designated IT management staff and your Progent engineering consultant so that any looming problems can be addressed before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small business can have its critical servers and applications hosted in a protected fault tolerant data center on a high-performance virtual machine host set up and managed by Progent's IT support professionals. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Because the environment is virtualized, it can be ported immediately to a different hardware solution without a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not locked into one hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, find and protect data about your IT infrastructure, procedures, business apps, and services. You can instantly locate passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can eliminate up to half of time thrown away trying to find critical information about your IT network. ProSight IT Asset Management features a common location for holding and sharing all documents related to managing your business network such as standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning enhancements, doing maintenance, or responding to an emergency, ProSight IT Asset Management delivers the knowledge you need when you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) managed service that utilizes next generation behavior analysis tools to defend endpoint devices and servers and VMs against modern malware assaults such as ransomware and email phishing, which routinely escape legacy signature-based AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and offers a unified platform to address the complete malware attack progression including protection, infiltration detection, mitigation, cleanup, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Read more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Call Desk managed services allow your IT team to offload Help Desk services to Progent or split activity for Help Desk services transparently between your internal support resources and Progent's nationwide roster of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless supplement to your corporate support resources. End user interaction with the Service Desk, delivery of support, escalation, trouble ticket generation and tracking, performance measurement, and management of the support database are cohesive whether issues are resolved by your in-house network support group, by Progent, or a mix of the two. Find out more about Progent's outsourced/co-managed Call Desk services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's support services for patch management provide organizations of any size a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting updates to your ever-evolving information system. Besides optimizing the protection and functionality of your IT network, Progent's patch management services permit your in-house IT team to concentrate on line-of-business initiatives and tasks that derive the highest business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication. Duo supports one-tap identity verification with iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you sign into a secured online account and give your password you are requested to confirm who you are on a unit that only you have and that is accessed using a different ("out-of-band") network channel. A broad range of out-of-band devices can be used as this second means of ID validation including a smartphone or wearable, a hardware token, a landline phone, etc. You may designate several validation devices. To learn more about Duo two-factor identity authentication services, go to Cisco Duo MFA two-factor authentication (2FA) services for access security.
For Vacaville 24-7 Crypto Remediation Services, call Progent at 800-462-8800 or go to Contact Progent.