Ransomware : Your Crippling Information Technology Nightmare
Crypto-Ransomware  Remediation ProfessionalsRansomware has become a modern cyber pandemic that poses an existential danger for businesses poorly prepared for an assault. Versions of ransomware like the CryptoLocker, WannaCry, Bad Rabbit, SamSam and MongoLock cryptoworms have been running rampant for a long time and still cause destruction. Modern variants of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, LockBit or Nephilim, plus daily as yet unnamed viruses, not only encrypt online data but also infect any accessible system backups. Data synchronized to the cloud can also be encrypted. In a vulnerable data protection solution, this can make automatic restore operations hopeless and basically knocks the datacenter back to zero.

Getting back online programs and information following a ransomware attack becomes a sprint against the clock as the targeted organization fights to stop the spread and remove the crypto-ransomware and to restore business-critical activity. Due to the fact that ransomware needs time to move laterally, attacks are usually launched at night, when successful penetrations are likely to take more time to uncover. This multiplies the difficulty of rapidly marshalling and orchestrating a knowledgeable mitigation team.

Progent provides a variety of solutions for securing organizations from crypto-ransomware events. These include user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with deployment of next-generation security solutions with AI technology from SentinelOne to identify and quarantine zero-day cyber threats quickly. Progent also offers the assistance of veteran crypto-ransomware recovery consultants with the track record and commitment to reconstruct a compromised system as rapidly as possible.

Progent's Ransomware Recovery Support Services
Following a crypto-ransomware attack, even paying the ransom demands in cryptocurrency does not ensure that merciless criminals will return the codes to unencrypt any of your data. Kaspersky Labs estimated that seventeen percent of ransomware victims never recovered their data even after having paid the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms often range from fifteen to forty BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET determined to be approximately $13,000. The fallback is to piece back together the vital parts of your Information Technology environment. Without access to essential system backups, this requires a wide range of skills, well-coordinated project management, and the capability to work non-stop until the task is done.

For twenty years, Progent has made available certified expert Information Technology services for businesses in Fort Wayne and throughout the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned top industry certifications in important technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-recognized certifications including CISM, CISSP-ISSAP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience with financial systems and ERP software solutions. This breadth of experience affords Progent the skills to quickly ascertain critical systems and consolidate the surviving parts of your Information Technology environment following a ransomware event and rebuild them into a functioning system.

Progent's recovery group utilizes powerful project management systems to coordinate the complicated restoration process. Progent understands the urgency of acting quickly and together with a customer's management and Information Technology resources to assign priority to tasks and to get key systems back on line as soon as humanly possible.

Case Study: A Successful Ransomware Penetration Recovery
A client contacted Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is thought to have been created by North Korean government sponsored criminal gangs, suspected of using technology leaked from the United States National Security Agency. Ryuk targets specific organizations with little tolerance for operational disruption and is one of the most profitable examples of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in Chicago and has around 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's system backups had been on-line at the start of the attack and were encrypted. The client considered paying the ransom (in excess of two hundred thousand dollars) and praying for good luck, but ultimately utilized Progent.


"I can't thank you enough about the help Progent provided us throughout the most stressful period of (our) businesses life. We may have had to pay the Hackers if not for the confidence the Progent experts gave us. The fact that you could get our messaging and production servers back into operation sooner than one week was incredible. Every single expert I talked with or texted at Progent was hell bent on getting us back on-line and was working non-stop on our behalf."

Progent worked together with the customer to rapidly identify and prioritize the most important systems that had to be restored to make it possible to restart business functions:

  • Active Directory
  • Microsoft Exchange
  • Accounting/MRP
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by stopping lateral movement and removing active viruses. Progent then initiated the process of restoring Active Directory, the core of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange Server messaging will not function without AD, and the businesses' financials and MRP applications leveraged Microsoft SQL, which requires Active Directory for security authorization to the databases.

In less than 48 hours, Progent was able to rebuild Active Directory to its pre-attack state. Progent then completed reinstallations and storage recovery of key applications. All Exchange schema and configuration information were intact, which facilitated the restore of Exchange. Progent was also able to find intact OST data files (Outlook Offline Data Files) on various workstations in order to recover mail messages. A recent offline backup of the client's financials/MRP software made them able to recover these essential programs back available to users. Although a large amount of work needed to be completed to recover fully from the Ryuk virus, the most important systems were restored quickly:


"For the most part, the production line operation survived unscathed and we produced all customer deliverables."

Over the next month important milestones in the restoration project were achieved in close cooperation between Progent consultants and the client:

  • In-house web sites were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server with over 4 million historical emails was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoicing/Accounts Payable/AR/Inventory modules were completely operational.
  • A new Palo Alto Networks 850 firewall was deployed.
  • Ninety percent of the user PCs were functioning as before the incident.

"A huge amount of what occurred in the initial days is mostly a haze for me, but I will not soon forget the commitment each of you accomplished to give us our business back. I have been working together with Progent for at least 10 years, maybe more, and every time Progent has impressed me and delivered. This time was the most impressive ever."

Conclusion
A potential company-ending disaster was dodged through the efforts of results-oriented professionals, a broad spectrum of IT skills, and close teamwork. Although upon completion of forensics the ransomware incident described here would have been identified and stopped with current cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, staff education, and well thought out security procedures for information protection and proper patching controls, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and will continue. If you do get hit by a ransomware virus, remember that Progent's roster of experts has substantial experience in ransomware virus blocking, remediation, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Chris (along with others that were involved), thanks very much for allowing me to get rested after we got past the initial push. All of you did an impressive effort, and if any of your team is around the Chicago area, a great meal is on me!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Fort Wayne a variety of remote monitoring and security evaluation services to assist you to reduce the threat from ransomware. These services utilize next-generation artificial intelligence capability to detect new variants of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a unified platform to automate the complete malware attack lifecycle including blocking, detection, containment, cleanup, and forensics. Top features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Progent is a SentinelOne Partner, dealer, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer security for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses contextual security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint control, and web filtering through cutting-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization consultants can help your business to plan and configure a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with legal and industry data protection standards. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent attention. Progent can also help you to install and verify a backup and restore solution such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive security attack such as ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint security and Microsoft Exchange filtering.

  • ProSight Data Protection Services: Backup and Recovery Services
    Progent has partnered with advanced backup software providers to produce ProSight Data Protection Services (DPS), a portfolio of management offerings that deliver backup-as-a-service. ProSight DPS services automate and monitor your data backup processes and allow transparent backup and rapid restoration of important files/folders, apps, system images, plus VMs. ProSight DPS lets you recover from data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, user mistakes, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to determine which of these managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of leading information security vendors to provide web-based control and world-class protection for all your inbound and outbound email. The hybrid architecture of Progent's Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to provide complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks (DHAs), and other email-based malware. The Cloud Protection Layer serves as a first line of defense and blocks most unwanted email from making it to your security perimeter. This decreases your exposure to inbound threats and saves network bandwidth and storage space. Email Guard's onsite gateway appliance provides a deeper level of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also assist Exchange Server to track and protect internal email that originates and ends within your corporate firewall. For more details, see Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure monitoring and management service that makes it easy and affordable for smaller businesses to diagram, track, enhance and troubleshoot their networking appliances such as routers, firewalls, and wireless controllers as well as servers, printers, client computers and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, captures and displays the configuration information of virtually all devices on your network, monitors performance, and generates notices when issues are discovered. By automating tedious network management processes, WAN Watch can knock hours off ordinary tasks such as network mapping, reconfiguring your network, finding appliances that need critical updates, or resolving performance problems. Find out more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses advanced remote monitoring and management technology to help keep your IT system operating at peak levels by checking the health of vital computers that power your information system. When ProSight LAN Watch detects a problem, an alarm is sent immediately to your specified IT management personnel and your Progent consultant so that any looming problems can be addressed before they can disrupt productivity. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual machine host set up and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the environment is virtualized, it can be ported immediately to an alternate hardware environment without a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, find and protect information about your network infrastructure, procedures, applications, and services. You can instantly find passwords or serial numbers and be alerted automatically about impending expirations of SSL certificates or domains. By cleaning up and organizing your IT infrastructure documentation, you can eliminate up to 50% of time spent looking for critical information about your IT network. ProSight IT Asset Management features a common location for storing and sharing all documents required for managing your network infrastructure such as recommended procedures and self-service instructions. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the data you need the instant you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates next generation behavior machine learning technology to guard endpoint devices as well as servers and VMs against modern malware attacks like ransomware and file-less exploits, which easily escape traditional signature-based AV products. Progent Active Security Monitoring services protect local and cloud resources and offers a unified platform to automate the entire threat progression including protection, identification, mitigation, remediation, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and automatic network-wide immunization against new attacks. Find out more about Progent's ransomware defense and recovery services.

  • Outsourced/Co-managed Service Desk: Support Desk Managed Services
    Progent's Support Center services allow your IT staff to outsource Call Center services to Progent or divide responsibilities for support services seamlessly between your in-house support group and Progent's extensive pool of certified IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a transparent supplement to your internal support staff. End user interaction with the Service Desk, delivery of support, escalation, ticket creation and tracking, efficiency measurement, and management of the service database are consistent whether issues are resolved by your corporate IT support staff, by Progent, or both. Find out more about Progent's outsourced/shared Call Center services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management provide businesses of all sizes a flexible and cost-effective solution for evaluating, validating, scheduling, applying, and documenting updates to your dynamic IT network. Besides maximizing the protection and functionality of your IT environment, Progent's software/firmware update management services permit your IT staff to concentrate on more strategic initiatives and tasks that deliver maximum business value from your information network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo technology to defend against password theft through the use of two-factor authentication (2FA). Duo enables single-tap identity verification with iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a secured application and give your password you are asked to verify your identity via a device that only you possess and that is accessed using a different network channel. A wide range of devices can be utilized for this second form of ID validation such as an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You may register multiple validation devices. To find out more about ProSight Duo identity validation services, go to Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding suite of real-time and in-depth reporting tools designed to work with the industry's leading ticketing and network monitoring platforms including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize critical issues like spotty support follow-up or machines with out-of-date AVs. By identifying ticketing or network health problems clearly and in near-real time, ProSight Reporting enhances productivity, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Fort Wayne 24-Hour Crypto-Ransomware Cleanup Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.