Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ConsultantsRansomware has become a too-frequent cyberplague that represents an existential threat for organizations poorly prepared for an attack. Different versions of crypto-ransomware like the Dharma, WannaCry, Locky, SamSam and MongoLock cryptoworms have been around for many years and continue to inflict havoc. Recent versions of ransomware like Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, as well as daily unnamed newcomers, not only do encryption of online data but also infiltrate any accessible system restores and backups. Data synched to the cloud can also be ransomed. In a poorly designed system, this can render automated restore operations impossible and effectively knocks the entire system back to square one.

Getting back online services and data following a ransomware outage becomes a race against time as the targeted business fights to contain and eradicate the ransomware and to resume business-critical operations. Since ransomware needs time to move laterally, penetrations are often sprung at night, when successful attacks may take longer to notice. This compounds the difficulty of promptly mobilizing and coordinating a capable response team.

Progent has a range of support services for securing businesses from ransomware attacks. Among these are staff education to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of the latest generation security appliances with machine learning capabilities from SentinelOne to discover and extinguish new threats automatically. Progent also offers the services of expert ransomware recovery engineers with the skills and perseverance to restore a compromised environment as quickly as possible.

Progent's Ransomware Recovery Services
Following a ransomware event, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that merciless criminals will return the codes to decrypt any of your information. Kaspersky estimated that seventeen percent of ransomware victims never recovered their files even after having sent off the ransom, resulting in more losses. The gamble is also expensive. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the usual crypto-ransomware demands, which ZDNET determined to be around $13,000. The fallback is to setup from scratch the mission-critical components of your Information Technology environment. Without the availability of complete system backups, this calls for a wide range of skill sets, top notch project management, and the ability to work non-stop until the job is over.

For decades, Progent has provided certified expert Information Technology services for companies in Mission Viejo and across the U.S. and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes professionals who have been awarded advanced industry certifications in important technologies including Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned certifications including CISA, CISSP-ISSAP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent in addition has experience with financial management and ERP applications. This breadth of expertise affords Progent the capability to knowledgably identify important systems and organize the remaining pieces of your computer network environment after a ransomware attack and configure them into a functioning network.

Progent's recovery team of experts uses powerful project management applications to orchestrate the complicated restoration process. Progent understands the importance of acting rapidly and together with a customer's management and IT team members to assign priority to tasks and to put essential systems back on-line as soon as humanly possible.

Business Case Study: A Successful Ransomware Incident Recovery
A business contacted Progent after their organization was attacked by Ryuk ransomware virus. Ryuk is believed to have been developed by Northern Korean government sponsored criminal gangs, possibly using approaches leaked from the United States NSA organization. Ryuk attacks specific businesses with little room for disruption and is one of the most lucrative incarnations of ransomware. High publicized targets include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a regional manufacturing company located in Chicago and has around 500 staff members. The Ryuk attack had shut down all essential operations and manufacturing processes. The majority of the client's data protection had been online at the start of the intrusion and were encrypted. The client was evaluating paying the ransom (in excess of $200K) and hoping for the best, but in the end brought in Progent.


"I can't thank you enough about the help Progent gave us during the most critical time of (our) company's survival. We had little choice but to pay the hackers behind this attack except for the confidence the Progent team provided us. That you could get our e-mail system and critical servers back in less than 1 week was earth shattering. Every single consultant I interacted with or communicated with at Progent was amazingly focused on getting my company operational and was working non-stop to bail us out."

Progent worked with the client to quickly assess and assign priority to the most important applications that needed to be recovered in order to resume business functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Accounting/MRP
To start, Progent adhered to Anti-virus penetration mitigation industry best practices by halting the spread and clearing up compromised systems. Progent then started the process of restoring Windows Active Directory, the key technology of enterprise environments built on Microsoft technology. Exchange messaging will not work without AD, and the businesses' financials and MRP applications leveraged SQL Server, which needs Active Directory for access to the data.

In less than two days, Progent was able to re-build Active Directory services to its pre-attack state. Progent then helped perform setup and storage recovery on needed servers. All Exchange ties and configuration information were usable, which accelerated the restore of Exchange. Progent was able to collect local OST files (Outlook Off-Line Data Files) on various PCs and laptops to recover email data. A recent offline backup of the customer's accounting/MRP systems made it possible to recover these essential services back available to users. Although a large amount of work was left to recover fully from the Ryuk attack, core services were returned to operations rapidly:


"For the most part, the manufacturing operation showed little impact and we delivered all customer sales."

Over the following month important milestones in the restoration project were accomplished in tight collaboration between Progent engineers and the customer:

  • In-house web sites were returned to operation with no loss of data.
  • The MailStore Server exceeding 4 million archived messages was brought online and accessible to users.
  • CRM/Orders/Invoices/AP/Accounts Receivables (AR)/Inventory functions were 100% operational.
  • A new Palo Alto 850 security appliance was brought on-line.
  • Nearly all of the user PCs were functioning as before the incident.

"Much of what transpired that first week is mostly a fog for me, but my management will not forget the care each of your team put in to help get our business back. I've been working together with Progent for the past 10 years, maybe more, and each time I needed help Progent has come through and delivered. This situation was no exception but maybe more Herculean."

Conclusion
A probable business-ending catastrophe was avoided due to hard-working experts, a broad array of IT skills, and close teamwork. Although in post mortem the ransomware virus incident described here could have been identified and disabled with modern security technology and recognized best practices, staff training, and appropriate security procedures for data protection and proper patching controls, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a crypto-ransomware attack, feel confident that Progent's roster of professionals has proven experience in crypto-ransomware virus defense, remediation, and information systems restoration.


"So, to Darrin, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were helping), I'm grateful for allowing me to get rested after we made it through the initial fire. Everyone did an fabulous job, and if any of your team is around the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this case study, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Mission Viejo a portfolio of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation artificial intelligence capability to detect new variants of crypto-ransomware that are able to escape detection by legacy signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's cutting edge behavior analysis technology to defend physical and virtual endpoints against new malware attacks like ransomware and file-less exploits, which routinely evade legacy signature-based anti-virus products. ProSight Active Security Monitoring protects local and cloud-based resources and provides a single platform to address the complete threat lifecycle including filtering, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against new attacks. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and VMs, desktops, smartphones, and Exchange email. ProSight ESP utilizes contextual security and modern behavior analysis for continuously monitoring and reacting to cyber threats from all attack vectors. ProSight ESP provides two-way firewall protection, intrusion alarms, endpoint control, and web filtering through leading-edge technologies incorporated within a single agent managed from a unified control. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you prove compliance with legal and industry data security standards. Progent will assist you specify and implement security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alarms that call for immediate attention. Progent can also help your company to install and test a backup and restore solution such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup/restore software companies to create ProSight Data Protection Services, a portfolio of offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your data backup processes and enable transparent backup and fast recovery of vital files, apps, system images, plus VMs. ProSight DPS lets you recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks like ransomware, human error, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight Data Protection Services product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight DPS MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed backup services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of top information security vendors to deliver web-based control and comprehensive protection for all your email traffic. The powerful architecture of Email Guard integrates a Cloud Protection Layer with a local security gateway device to provide advanced protection against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based threats. The cloud filter acts as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your exposure to inbound attacks and saves network bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of analysis for inbound email. For outbound email, the local gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email that stays inside your corporate firewall. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and affordable for small and mid-sized businesses to diagram, monitor, reconfigure and troubleshoot their connectivity hardware like routers, firewalls, and load balancers plus servers, printers, client computers and other networked devices. Incorporating cutting-edge Remote Monitoring and Management technology, ProSight WAN Watch makes sure that infrastructure topology maps are always current, copies and displays the configuration of almost all devices connected to your network, tracks performance, and generates alerts when problems are detected. By automating tedious network management processes, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, locating appliances that require critical software patches, or identifying the cause of performance problems. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management techniques to help keep your network running efficiently by checking the health of vital assets that drive your business network. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your designated IT management staff and your Progent engineering consultant so that all looming issues can be resolved before they can impact productivity. Learn more about ProSight LAN Watch server and desktop monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support experts. Under Progent's ProSight Virtual Hosting model, the client owns the data, the OS software, and the applications. Because the system is virtualized, it can be moved easily to an alternate hosting environment without a time-consuming and technically risky configuration process. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to capture, update, retrieve and safeguard information about your network infrastructure, procedures, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates or domains. By updating and organizing your IT infrastructure documentation, you can eliminate up to half of time wasted trying to find vital information about your IT network. ProSight IT Asset Management includes a common repository for storing and collaborating on all documents related to managing your network infrastructure like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're making improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you need as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior-based machine learning tools to guard endpoints as well as physical and virtual servers against new malware assaults such as ransomware and file-less exploits, which routinely get by traditional signature-matching anti-virus products. Progent ASM services safeguard local and cloud resources and offers a unified platform to manage the complete threat progression including protection, identification, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows VSS and real-time network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Help Center: Help Desk Managed Services
    Progent's Support Center services permit your information technology team to outsource Support Desk services to Progent or divide responsibilities for Help Desk services seamlessly between your internal network support resources and Progent's nationwide roster of certified IT support technicians, engineers and subject matter experts. Progent's Co-managed Service Desk provides a smooth supplement to your core support group. User access to the Help Desk, provision of support, escalation, ticket creation and tracking, efficiency metrics, and maintenance of the service database are cohesive regardless of whether incidents are resolved by your internal network support group, by Progent's team, or both. Learn more about Progent's outsourced/shared Help Center services.

  • Patch Management: Patch Management Services
    Progent's managed services for patch management provide organizations of any size a versatile and affordable solution for assessing, testing, scheduling, implementing, and tracking updates to your ever-evolving information system. In addition to optimizing the protection and functionality of your IT environment, Progent's patch management services allow your in-house IT staff to focus on more strategic initiatives and tasks that deliver the highest business value from your information network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo authentication service plans incorporate Cisco's Duo cloud technology to protect against password theft by using two-factor authentication (2FA). Duo supports single-tap identity confirmation with Apple iOS, Android, and other personal devices. With 2FA, when you log into a secured online account and give your password you are asked to verify your identity via a device that only you have and that is accessed using a different ("out-of-band") network channel. A wide selection of out-of-band devices can be utilized as this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline telephone, etc. You may designate several validation devices. For details about Duo identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding suite of real-time and in-depth reporting utilities created to integrate with the leading ticketing and network monitoring applications including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to highlight and contextualize critical issues like inconsistent support follow-up or machines with out-of-date AVs. By exposing ticketing or network health problems concisely and in near-real time, ProSight Reporting improves productivity, lowers management overhead, and saves money. For details, visit ProSight Reporting for ticketing and network monitoring applications.
For 24/7/365 Mission Viejo Crypto-Ransomware Remediation Experts, call Progent at 800-462-8800 or go to Contact Progent.