Ransomware : Your Feared IT Nightmare
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that poses an extinction-level threat for organizations poorly prepared for an assault. Versions of ransomware like the CrySIS, WannaCry, Locky, SamSam and MongoLock cryptoworms have been running rampant for many years and still cause harm. Modern variants of ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, along with frequent as yet unnamed viruses, not only do encryption of on-line data but also infect most available system restores and backups. Data synchronized to cloud environments can also be rendered useless. In a vulnerable environment, it can render automated restore operations useless and basically sets the datacenter back to square one.

Recovering services and data after a crypto-ransomware intrusion becomes a sprint against the clock as the targeted organization fights to stop the spread and cleanup the ransomware and to resume mission-critical operations. Because crypto-ransomware takes time to move laterally, assaults are usually launched on weekends, when successful penetrations are likely to take longer to uncover. This compounds the difficulty of promptly mobilizing and coordinating an experienced mitigation team.

Progent provides an assortment of services for securing enterprises from ransomware penetrations. These include staff education to help recognize and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, in addition to setup and configuration of modern security solutions with machine learning capabilities from SentinelOne to discover and disable new threats quickly. Progent also can provide the services of expert ransomware recovery consultants with the talent and commitment to reconstruct a compromised system as soon as possible.

Progent's Ransomware Restoration Services
Following a ransomware attack, paying the ransom demands in cryptocurrency does not guarantee that criminal gangs will return the needed codes to decrypt any of your data. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their information after having sent off the ransom, resulting in additional losses. The gamble is also very costly. Ryuk ransoms commonly range from fifteen to forty BTC ($120,000 and $400,000). This is greatly higher than the typical crypto-ransomware demands, which ZDNET averages to be in the range of $13,000. The fallback is to piece back together the mission-critical components of your IT environment. Without the availability of essential data backups, this requires a broad complement of skills, well-coordinated team management, and the willingness to work continuously until the task is completed.

For decades, Progent has made available certified expert Information Technology services for businesses in Mission Viejo and throughout the US and has earned Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes engineers who have attained advanced industry certifications in leading technologies such as Microsoft, Cisco, VMware, and major distros of Linux. Progent's cyber security consultants have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has expertise with accounting and ERP software solutions. This breadth of experience affords Progent the ability to rapidly identify important systems and consolidate the surviving pieces of your network system following a ransomware penetration and assemble them into a functioning network.

Progent's security group utilizes powerful project management tools to coordinate the complex restoration process. Progent appreciates the urgency of working quickly and in concert with a customer's management and IT staff to assign priority to tasks and to put key systems back on line as soon as possible.

Case Study: A Successful Crypto-Ransomware Intrusion Restoration
A customer contacted Progent after their network was taken over by the Ryuk ransomware. Ryuk is generally considered to have been created by Northern Korean state criminal gangs, suspected of adopting techniques leaked from the United States NSA organization. Ryuk seeks specific companies with little or no room for disruption and is among the most profitable iterations of ransomware viruses. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business headquartered in Chicago with about 500 staff members. The Ryuk attack had brought down all company operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were destroyed. The client was evaluating paying the ransom demand (in excess of $200,000) and hoping for the best, but ultimately utilized Progent.


"I can't tell you enough in regards to the expertise Progent gave us throughout the most critical time of (our) company's survival. We may have had to pay the cybercriminals if not for the confidence the Progent group provided us. The fact that you were able to get our messaging and critical applications back in less than seven days was something I thought impossible. Each expert I got help from or e-mailed at Progent was absolutely committed on getting us working again and was working all day and night to bail us out."

Progent worked hand in hand the customer to quickly assess and prioritize the most important systems that had to be restored to make it possible to resume company operations:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • Accounting and Manufacturing Software
To get going, Progent adhered to AV/Malware Processes incident response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the task of recovering Microsoft AD, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the client's financials and MRP applications leveraged Microsoft SQL Server, which depends on Active Directory services for security authorization to the databases.

In less than 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then completed setup and storage recovery on the most important systems. All Microsoft Exchange Server ties and attributes were usable, which accelerated the restore of Exchange. Progent was able to find local OST files (Outlook Email Off-Line Folder Files) on team desktop computers and laptops to recover email messages. A recent off-line backup of the client's manufacturing software made them able to restore these required applications back on-line. Although a large amount of work needed to be completed to recover completely from the Ryuk event, the most important services were recovered rapidly:


"For the most part, the production operation never missed a beat and we delivered all customer sales."

Throughout the following couple of weeks important milestones in the restoration project were completed through tight collaboration between Progent team members and the customer:

  • In-house web applications were brought back up without losing any information.
  • The MailStore Server containing more than 4 million archived messages was spun up and available for users.
  • CRM/Orders/Invoices/AP/Accounts Receivables/Inventory capabilities were fully restored.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Most of the desktop computers were operational.

"A lot of what was accomplished in the early hours is nearly entirely a fog for me, but my team will not forget the commitment each and every one of the team put in to give us our business back. I've utilized Progent for at least 10 years, possibly more, and every time Progent has impressed me and delivered. This event was a Herculean accomplishment."

Conclusion
A probable company-ending disaster was averted due to hard-working experts, a wide array of knowledge, and tight collaboration. Although upon completion of forensics the ransomware virus attack detailed here would have been blocked with modern cyber security technology solutions and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator education, and appropriate security procedures for data protection and proper patching controls, the fact is that state-sponsored cyber criminals from Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, feel confident that Progent's roster of professionals has a proven track record in crypto-ransomware virus blocking, mitigation, and file disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), thank you for letting me get some sleep after we made it through the most critical parts. All of you did an incredible job, and if anyone is in the Chicago area, dinner is my treat!"

To read or download a PDF version of this customer case study, click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide businesses in Mission Viejo a range of remote monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include modern AI technology to detect new strains of ransomware that are able to evade legacy signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that incorporates SentinelOne's cutting edge behavior analysis tools to defend physical and virtual endpoints against modern malware assaults such as ransomware and email phishing, which easily get by legacy signature-matching anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and offers a unified platform to manage the entire threat lifecycle including protection, detection, containment, remediation, and post-attack forensics. Key capabilities include one-click rollback using Windows VSS and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Endpoint Protection and Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable in-depth protection for physical and virtual servers, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes contextual security and advanced heuristics for continuously monitoring and reacting to cyber assaults from all attack vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint management, and web filtering via cutting-edge tools packaged within a single agent managed from a single console. Progent's data protection and virtualization consultants can assist you to design and configure a ProSight ESP environment that meets your company's unique needs and that allows you achieve and demonstrate compliance with government and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and react to alarms that require urgent action. Progent can also assist you to set up and verify a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business quickly from a destructive cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with leading backup software companies to create ProSight Data Protection Services, a portfolio of management outsourcing plans that deliver backup-as-a-service. ProSight DPS services automate and track your data backup processes and allow transparent backup and rapid restoration of critical files, apps, system images, plus virtual machines. ProSight DPS helps you protect against data loss resulting from equipment failures, natural disasters, fire, cyber attacks like ransomware, human error, ill-intentioned employees, or application glitches. Managed backup services in the ProSight Data Protection Services product line include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup based on Barracuda dedicated storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to determine which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the technology of top information security companies to provide web-based management and comprehensive security for your inbound and outbound email. The hybrid architecture of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The Cloud Protection Layer acts as a first line of defense and blocks most unwanted email from making it to your network firewall. This decreases your vulnerability to inbound threats and conserves network bandwidth and storage space. Email Guard's on-premises security gateway appliance adds a deeper layer of analysis for incoming email. For outgoing email, the local security gateway provides AV and anti-spam filtering, DLP, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends inside your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Management
    ProSight WAN Watch is a network infrastructure management service that makes it simple and affordable for smaller organizations to map, track, optimize and debug their connectivity hardware like switches, firewalls, and access points as well as servers, client computers and other devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, captures and displays the configuration of almost all devices on your network, monitors performance, and sends alerts when potential issues are detected. By automating time-consuming management processes, WAN Watch can cut hours off common tasks such as making network diagrams, reconfiguring your network, locating appliances that need important updates, or identifying the cause of performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to help keep your IT system running at peak levels by tracking the health of vital computers that power your business network. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your specified IT management staff and your Progent consultant so that any potential issues can be resolved before they have a chance to impact your network. Find out more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support professionals. With Progent's ProSight Virtual Hosting service model, the customer owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to a different hardware environment without a time-consuming and technically risky configuration procedure. With ProSight Virtual Hosting, you are not tied a single hosting service. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information related to your IT infrastructure, processes, applications, and services. You can quickly find passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or warranties. By updating and managing your IT documentation, you can save as much as half of time thrown away looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for holding and collaborating on all documents related to managing your business network like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports a high level of automation for gathering and associating IT data. Whether you're planning improvements, doing maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you require the instant you need it. Learn more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection solution that utilizes cutting edge behavior-based analysis tools to guard endpoint devices and physical and virtual servers against modern malware assaults like ransomware and file-less exploits, which routinely escape legacy signature-matching AV tools. Progent Active Security Monitoring services protect local and cloud resources and provides a single platform to address the entire malware attack progression including blocking, detection, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Call Center Managed Services
    Progent's Call Desk managed services permit your information technology staff to outsource Support Desk services to Progent or divide activity for Help Desk services transparently between your internal network support staff and Progent's nationwide pool of IT service technicians, engineers and subject matter experts. Progent's Shared Service Desk provides a seamless supplement to your core support resources. User access to the Service Desk, delivery of support, problem escalation, ticket creation and tracking, performance metrics, and maintenance of the support database are cohesive whether incidents are taken care of by your corporate IT support group, by Progent's team, or both. Read more about Progent's outsourced/co-managed Call Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management offer businesses of any size a flexible and affordable alternative for assessing, validating, scheduling, implementing, and documenting updates to your dynamic IT network. In addition to optimizing the protection and functionality of your computer network, Progent's patch management services free up time for your in-house IT staff to concentrate on line-of-business initiatives and activities that deliver maximum business value from your information network. Learn more about Progent's patch management services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Remediation, and Protected Single Sign-on (SSO)
    Progent's Duo authentication services utilize Cisco's Duo cloud technology to protect against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification with Apple iOS, Google Android, and other personal devices. Using Duo 2FA, whenever you log into a protected application and give your password you are asked to verify your identity on a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of devices can be utilized as this added form of authentication including a smartphone or watch, a hardware token, a landline telephone, etc. You may designate multiple verification devices. To learn more about Duo two-factor identity validation services, go to Duo MFA two-factor authentication services for access security.
For 24x7x365 Mission Viejo Ransomware Cleanup Services, contact Progent at 800-462-8800 or go to Contact Progent.