Ransomware : Your Feared IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that represents an extinction-level threat for businesses vulnerable to an attack. Different versions of crypto-ransomware such as Dharma, Fusob, Locky, SamSam and MongoLock cryptoworms have been circulating for many years and continue to cause harm. Modern variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with frequent unnamed newcomers, not only do encryption of online critical data but also infiltrate all accessible system backup. Information replicated to cloud environments can also be encrypted. In a poorly designed data protection solution, this can make any recovery hopeless and basically knocks the entire system back to zero.

Retrieving applications and information following a ransomware outage becomes a race against the clock as the targeted business struggles to stop lateral movement and remove the crypto-ransomware and to restore business-critical activity. Since ransomware takes time to spread, assaults are frequently sprung on weekends, when attacks are likely to take more time to uncover. This multiplies the difficulty of quickly marshalling and coordinating a qualified mitigation team.

Progent has a variety of services for securing organizations from ransomware attacks. Among these are staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, plus deployment of modern security gateways with machine learning technology from SentinelOne to detect and extinguish new cyber threats automatically. Progent also offers the services of veteran crypto-ransomware recovery engineers with the track record and perseverance to restore a breached environment as soon as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware penetration, even paying the ransom demands in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will respond with the codes to decrypt all your data. Kaspersky ascertained that 17% of ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also costly. Ryuk ransoms commonly range from 15-40 BTC ($120,000 and $400,000). This is well higher than the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The fallback is to re-install the critical components of your Information Technology environment. Without access to essential information backups, this requires a broad complement of IT skills, top notch project management, and the ability to work continuously until the job is completed.

For two decades, Progent has provided certified expert Information Technology services for companies in Fort Wayne and across the United States and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes professionals who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and popular distros of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and GIAC. (Refer to Progent's certifications). Progent in addition has expertise in accounting and ERP software solutions. This breadth of expertise provides Progent the skills to efficiently determine important systems and re-organize the remaining components of your computer network environment after a crypto-ransomware attack and rebuild them into an operational network.

Progent's security group deploys top notch project management tools to coordinate the complicated restoration process. Progent knows the urgency of acting quickly and in unison with a customer's management and IT staff to prioritize tasks and to put essential applications back on-line as soon as possible.

Case Study: A Successful Ransomware Virus Recovery
A client hired Progent after their company was attacked by the Ryuk ransomware. Ryuk is thought to have been launched by North Korean state criminal gangs, suspected of adopting techniques exposed from the U.S. National Security Agency. Ryuk goes after specific companies with little tolerance for operational disruption and is one of the most lucrative versions of crypto-ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a small manufacturing business located in the Chicago metro area with around 500 employees. The Ryuk attack had frozen all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the beginning of the attack and were encrypted. The client was evaluating paying the ransom (exceeding $200,000) and praying for the best, but ultimately reached out to Progent.


"I cannot thank you enough about the support Progent provided us during the most critical period of (our) company's existence. We would have paid the hackers behind this attack if it wasn't for the confidence the Progent experts gave us. The fact that you could get our messaging and production servers back into operation in less than a week was something I thought impossible. Every single staff member I interacted with or texted at Progent was amazingly focused on getting our system up and was working non-stop on our behalf."

Progent worked together with the client to rapidly understand and prioritize the essential applications that needed to be restored to make it possible to continue departmental functions:

  • Active Directory (AD)
  • Email
  • Financials/MRP
To get going, Progent followed ransomware penetration response best practices by stopping lateral movement and cleaning up infected systems. Progent then started the steps of restoring Windows Active Directory, the foundation of enterprise systems built on Microsoft Windows technology. Microsoft Exchange Server email will not work without AD, and the client's MRP system utilized Microsoft SQL, which requires Active Directory for access to the data.

In less than 2 days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then completed rebuilding and hard drive recovery on key servers. All Exchange data and configuration information were intact, which greatly helped the rebuild of Exchange. Progent was able to find local OST data files (Outlook Email Off-Line Folder Files) on user PCs and laptops in order to recover mail data. A recent offline backup of the businesses financials/MRP systems made it possible to recover these essential services back online. Although significant work remained to recover fully from the Ryuk virus, essential systems were restored rapidly:


"For the most part, the production operation did not miss a beat and we produced all customer deliverables."

Over the next few weeks critical milestones in the restoration process were completed through tight cooperation between Progent consultants and the customer:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Microsoft Exchange Server containing more than four million archived messages was restored to operations and accessible to users.
  • CRM/Customer Orders/Invoices/Accounts Payable (AP)/AR/Inventory modules were fully recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Ninety percent of the user workstations were back into operation.

"A lot of what happened during the initial response is nearly entirely a haze for me, but my management will not forget the commitment each and every one of you accomplished to give us our business back. I've utilized Progent for at least 10 years, maybe more, and each time Progent has come through and delivered. This time was a life saver."

Conclusion
A likely business-killing catastrophe was dodged due to results-oriented experts, a wide spectrum of IT skills, and tight teamwork. Although in hindsight the ransomware virus incident detailed here would have been identified and prevented with up-to-date security technology and ISO/IEC 27001 best practices, user education, and appropriate incident response procedures for information protection and proper patching controls, the fact remains that state-sponsored cybercriminals from China, Russia, North Korea and elsewhere are relentless and are an ongoing threat. If you do get hit by a crypto-ransomware incursion, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, remediation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for letting me get rested after we made it through the first week. Everyone did an incredible job, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers companies in Fort Wayne a portfolio of remote monitoring and security evaluation services designed to help you to minimize the threat from ransomware. These services incorporate modern AI technology to detect new strains of ransomware that are able to evade traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis tools to defend physical and virtual endpoints against new malware assaults like ransomware and email phishing, which easily escape traditional signature-based anti-virus tools. ProSight Active Security Monitoring protects local and cloud resources and provides a single platform to address the complete threat progression including protection, detection, mitigation, cleanup, and forensics. Key features include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Exchange Email Filtering
    ProSight Enhanced Security Protection managed services offer ultra-affordable in-depth protection for physical servers and virtual machines, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all vectors. ProSight ESP provides two-way firewall protection, intrusion alerts, endpoint management, and web filtering through cutting-edge technologies incorporated within one agent accessible from a single control. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP environment that addresses your organization's unique needs and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your IT environment and react to alerts that require urgent attention. Progent's consultants can also help your company to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous cyber attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services, a selection of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your backup processes and enable non-disruptive backup and rapid restoration of important files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps your business protect against data loss resulting from equipment breakdown, natural calamities, fire, malware like ransomware, human error, ill-intentioned employees, or application glitches. Managed services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading information security companies to provide web-based control and world-class protection for your inbound and outbound email. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with an on-premises security gateway device to offer advanced protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's on-premises gateway device provides a deeper level of inspection for inbound email. For outgoing email, the local security gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to track and safeguard internal email traffic that originates and ends within your corporate firewall. For more details, see Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and debug their connectivity appliances like routers and switches, firewalls, and wireless controllers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management technology, WAN Watch ensures that network maps are kept current, captures and manages the configuration of virtually all devices connected to your network, monitors performance, and sends alerts when potential issues are detected. By automating complex network management processes, WAN Watch can knock hours off common tasks such as network mapping, expanding your network, locating appliances that need critical software patches, or resolving performance bottlenecks. Learn more details about ProSight WAN Watch infrastructure management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the health of vital computers that power your business network. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your specified IT staff and your assigned Progent consultant so any looming issues can be resolved before they can impact your network. Learn more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the apps. Because the environment is virtualized, it can be ported easily to a different hardware environment without a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not locked into a single hosting provider. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to capture, update, find and safeguard information related to your network infrastructure, procedures, business apps, and services. You can quickly locate passwords or IP addresses and be warned automatically about impending expirations of SSLs or warranties. By updating and organizing your IT documentation, you can save up to 50% of time spent searching for vital information about your network. ProSight IT Asset Management includes a centralized location for storing and collaborating on all documents related to managing your network infrastructure such as recommended procedures and How-To's. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether you're making enhancements, performing regular maintenance, or responding to a crisis, ProSight IT Asset Management gets you the data you need when you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: AI-based Ransomware Detection and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to defend endpoints and physical and virtual servers against new malware assaults such as ransomware and email phishing, which easily evade traditional signature-based AV products. Progent ASM services protect local and cloud resources and provides a unified platform to manage the entire malware attack progression including blocking, identification, mitigation, remediation, and post-attack forensics. Key capabilities include single-click rollback using Windows VSS and real-time network-wide immunization against new attacks. Read more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Call Center Managed Services
    Progent's Help Center managed services allow your IT team to offload Call Center services to Progent or divide responsibilities for support services transparently between your in-house network support resources and Progent's extensive pool of certified IT service engineers and subject matter experts. Progent's Co-managed Help Desk Service offers a smooth supplement to your internal IT support team. User interaction with the Service Desk, delivery of support services, issue escalation, ticket creation and updates, performance measurement, and management of the support database are cohesive regardless of whether issues are resolved by your core support group, by Progent, or a mix of the two. Read more about Progent's outsourced/shared Help Center services.

  • Patch Management: Patch Management Services
    Progent's support services for patch management offer organizations of any size a flexible and affordable solution for evaluating, validating, scheduling, implementing, and tracking software and firmware updates to your dynamic information system. In addition to optimizing the security and reliability of your computer environment, Progent's patch management services free up time for your IT staff to concentrate on more strategic projects and tasks that deliver the highest business value from your information network. Find out more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against stolen passwords by using two-factor authentication (2FA). Duo enables one-tap identity verification with iOS, Android, and other personal devices. Using 2FA, whenever you log into a protected application and give your password you are requested to verify who you are on a unit that only you possess and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized as this second form of authentication such as an iPhone or Android or wearable, a hardware token, a landline phone, etc. You can designate multiple verification devices. For more information about ProSight Duo identity validation services, refer to Duo MFA two-factor authentication (2FA) services.
For 24x7 Fort Wayne Ransomware Cleanup Experts, call Progent at 800-462-8800 or go to Contact Progent.