Ransomware : Your Crippling IT Nightmare
Ransomware  Remediation ExpertsRansomware has become a modern cyberplague that presents an enterprise-level threat for organizations vulnerable to an assault. Different versions of ransomware like the CryptoLocker, Fusob, Locky, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict damage. More recent strains of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, along with frequent unnamed malware, not only do encryption of online data but also infect all accessible system backups. Files synchronized to the cloud can also be corrupted. In a poorly designed system, it can make automated restoration impossible and basically sets the network back to square one.

Getting back online services and information after a ransomware event becomes a sprint against the clock as the victim tries its best to stop the spread and eradicate the virus and to restore mission-critical activity. Because ransomware requires time to replicate, assaults are frequently launched during nights and weekends, when successful attacks may take longer to recognize. This multiplies the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent makes available an assortment of solutions for securing organizations from ransomware events. These include team member education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring for remote monitoring and management, plus setup and configuration of the latest generation security appliances with AI technology from SentinelOne to identify and suppress new cyber attacks automatically. Progent also can provide the services of veteran ransomware recovery engineers with the talent and perseverance to restore a breached system as quickly as possible.

Progent's Crypto-Ransomware Recovery Services
Soon after a ransomware attack, sending the ransom demands in cryptocurrency does not guarantee that criminal gangs will provide the needed codes to unencrypt any of your information. Kaspersky Labs ascertained that 17% of crypto-ransomware victims never recovered their files even after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is significantly higher than the usual ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the vital elements of your IT environment. Absent access to full information backups, this requires a wide range of skills, professional team management, and the capability to work 24x7 until the task is complete.

For decades, Progent has provided professional IT services for companies in Appleton and across the US and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes consultants who have attained top certifications in key technologies such as Microsoft, Cisco, VMware, and major distributions of Linux. Progent's security engineers have earned internationally-recognized industry certifications including CISM, CISSP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with financial systems and ERP application software. This breadth of experience affords Progent the skills to knowledgably determine critical systems and re-organize the remaining pieces of your Information Technology system following a crypto-ransomware attack and configure them into a functioning network.

Progent's ransomware group uses top notch project management systems to orchestrate the complicated restoration process. Progent knows the importance of working quickly and in unison with a customer's management and Information Technology team members to prioritize tasks and to put critical applications back on line as fast as humanly possible.

Client Story: A Successful Ransomware Intrusion Response
A customer escalated to Progent after their network system was brought down by Ryuk ransomware. Ryuk is believed to have been created by North Korean government sponsored cybercriminals, possibly adopting approaches exposed from America's NSA organization. Ryuk goes after specific organizations with little or no ability to sustain disruption and is one of the most profitable instances of ransomware malware. Headline targets include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's customer is a single-location manufacturing business located in the Chicago metro area and has about 500 staff members. The Ryuk intrusion had paralyzed all essential operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the attack and were damaged. The client considered paying the ransom (exceeding two hundred thousand dollars) and hoping for the best, but in the end made the decision to use Progent.


"I cannot say enough about the support Progent gave us during the most critical period of (our) company's existence. We may have had to pay the cyber criminals if not for the confidence the Progent group gave us. The fact that you could get our messaging and key servers back sooner than five days was something I thought impossible. Every single staff member I talked with or texted at Progent was totally committed on getting us operational and was working day and night on our behalf."

Progent worked with the client to rapidly assess and assign priority to the most important systems that needed to be restored in order to continue company operations:

  • Windows Active Directory
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To begin, Progent adhered to ransomware event mitigation industry best practices by stopping lateral movement and clearing infected systems. Progent then initiated the task of restoring Microsoft Active Directory, the heart of enterprise systems built on Microsoft technology. Microsoft Exchange Server messaging will not operate without Windows AD, and the customer's accounting and MRP applications utilized SQL Server, which requires Active Directory for access to the databases.

Within 2 days, Progent was able to recover Windows Active Directory to its pre-penetration state. Progent then helped perform reinstallations and hard drive recovery on the most important servers. All Exchange data and attributes were intact, which accelerated the rebuild of Exchange. Progent was able to find non-encrypted OST files (Microsoft Outlook Offline Folder Files) on staff workstations and laptops in order to recover email information. A recent offline backup of the client's accounting/MRP systems made them able to recover these essential applications back available to users. Although major work still had to be done to recover totally from the Ryuk event, essential services were recovered quickly:


"For the most part, the assembly line operation showed little impact and we delivered all customer sales."

Over the next couple of weeks key milestones in the recovery project were completed in close cooperation between Progent consultants and the client:

  • Self-hosted web sites were brought back up with no loss of information.
  • The MailStore Server containing more than 4 million historical messages was brought on-line and accessible to users.
  • CRM/Product Ordering/Invoices/Accounts Payable (AP)/AR/Inventory capabilities were fully operational.
  • A new Palo Alto 850 security appliance was set up and programmed.
  • Nearly all of the user desktops were operational.

"A huge amount of what happened during the initial response is mostly a haze for me, but our team will not soon forget the urgency each and every one of your team accomplished to give us our business back. I've trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has outperformed my expectations and delivered. This event was a testament to your capabilities."

Conclusion
A likely business-ending catastrophe was avoided by dedicated experts, a broad array of knowledge, and tight teamwork. Although in analyzing the event afterwards the crypto-ransomware penetration detailed here should have been identified and disabled with modern cyber security systems and NIST Cybersecurity Framework or ISO/IEC 27001 best practices, user and IT administrator training, and well thought out incident response procedures for backup and keeping systems up to date with security patches, the reality remains that government-sponsored hackers from China, Russia, North Korea and elsewhere are relentless and will continue. If you do fall victim to a ransomware incident, feel confident that Progent's team of professionals has extensive experience in ransomware virus defense, cleanup, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for letting me get rested after we made it over the initial fire. Everyone did an amazing effort, and if any of your guys is visiting the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this customer case study, click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Appleton a variety of online monitoring and security evaluation services designed to assist you to reduce the threat from crypto-ransomware. These services include next-generation artificial intelligence technology to detect zero-day variants of ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against new malware assaults such as ransomware and file-less exploits, which routinely evade legacy signature-matching anti-virus products. ProSight ASM safeguards local and cloud resources and provides a single platform to address the entire malware attack progression including filtering, detection, mitigation, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer protection for physical servers and VMs, workstations, smartphones, and Exchange Server. ProSight ESP utilizes adaptive security and advanced heuristics for round-the-clock monitoring and responding to cyber threats from all attack vectors. ProSight ESP delivers two-way firewall protection, intrusion alerts, endpoint control, and web filtering through leading-edge tools incorporated within a single agent managed from a unified console. Progent's security and virtualization consultants can assist you to plan and configure a ProSight ESP deployment that meets your company's unique needs and that allows you prove compliance with government and industry information security standards. Progent will assist you specify and implement policies that ProSight ESP will enforce, and Progent will monitor your network and react to alarms that require immediate attention. Progent's consultants can also help your company to set up and test a backup and restore system such as ProSight Data Protection Services so you can recover rapidly from a potentially disastrous security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery Services
    Progent has partnered with advanced backup technology companies to produce ProSight Data Protection Services (DPS), a family of offerings that provide backup-as-a-service (BaaS). ProSight DPS services manage and monitor your data backup processes and enable non-disruptive backup and fast restoration of vital files/folders, applications, images, plus Hyper-V and VMware virtual machines. ProSight DPS lets you recover from data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, user error, malicious insiders, or application glitches. Managed backup services in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent expert can assist you to determine which of these fully managed services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the infrastructure of leading information security vendors to provide web-based management and comprehensive protection for all your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway device to offer complete defense against spam, viruses, Denial of Service Attacks, Directory Harvest Attacks, and other email-based threats. The Cloud Protection Layer acts as a preliminary barricade and blocks the vast majority of unwanted email from reaching your security perimeter. This reduces your exposure to inbound attacks and saves network bandwidth and storage. Email Guard's onsite security gateway appliance provides a deeper level of analysis for incoming email. For outgoing email, the onsite gateway provides anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to track and protect internal email that originates and ends inside your corporate firewall. For more information, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller businesses to map out, monitor, reconfigure and debug their networking appliances like routers, firewalls, and access points plus servers, printers, endpoints and other devices. Using state-of-the-art Remote Monitoring and Management (RMM) technology, WAN Watch ensures that infrastructure topology maps are kept updated, captures and displays the configuration of almost all devices on your network, tracks performance, and sends notices when issues are detected. By automating tedious network management activities, ProSight WAN Watch can knock hours off common tasks like network mapping, reconfiguring your network, finding appliances that require important updates, or isolating performance issues. Find out more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to keep your IT system operating at peak levels by checking the health of critical computers that power your business network. When ProSight LAN Watch uncovers an issue, an alert is sent immediately to your specified IT staff and your Progent engineering consultant so that all potential issues can be resolved before they have a chance to disrupt your network. Find out more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a protected fault tolerant data center on a fast virtual machine host configured and managed by Progent's network support professionals. Under the ProSight Virtual Hosting service model, the customer owns the data, the OS software, and the applications. Since the system is virtualized, it can be ported immediately to a different hardware solution without requiring a time-consuming and difficult reinstallation process. With ProSight Virtual Hosting, your business is not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, update, retrieve and protect information about your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be alerted about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate as much as half of time spent trying to find vital information about your network. ProSight IT Asset Management features a centralized repository for holding and sharing all documents required for managing your network infrastructure like recommended procedures and How-To's. ProSight IT Asset Management also supports advanced automation for gathering and relating IT information. Whether you're making enhancements, performing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need when you need it. Read more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: AI-based Ransomware Detection and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that incorporates next generation behavior analysis tools to guard endpoints as well as servers and VMs against modern malware assaults like ransomware and email phishing, which routinely escape legacy signature-matching anti-virus tools. Progent ASM services protect local and cloud resources and provides a single platform to address the entire threat lifecycle including protection, infiltration detection, containment, cleanup, and post-attack forensics. Key features include one-click rollback with Windows VSS and automatic network-wide immunization against new threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Call Center Managed Services
    Progent's Help Center managed services allow your information technology team to outsource Support Desk services to Progent or divide activity for Help Desk services seamlessly between your internal network support resources and Progent's nationwide roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service provides a smooth extension of your core support group. User interaction with the Service Desk, delivery of support services, issue escalation, trouble ticket creation and tracking, performance metrics, and management of the service database are consistent regardless of whether issues are resolved by your core support group, by Progent, or by a combination. Read more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a flexible and cost-effective alternative for assessing, testing, scheduling, applying, and tracking updates to your ever-evolving IT system. In addition to maximizing the protection and reliability of your IT network, Progent's software/firmware update management services allow your in-house IT team to focus on line-of-business initiatives and activities that derive maximum business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication service plans incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Google Android, and other out-of-band devices. Using 2FA, whenever you log into a secured application and give your password you are requested to confirm who you are on a device that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this added form of ID validation such as a smartphone or wearable, a hardware token, a landline telephone, etc. You may register several validation devices. To find out more about ProSight Duo identity authentication services, refer to Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is an expanding line of real-time reporting plug-ins designed to work with the industry's top ticketing and remote network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting incorporates Microsoft Graph and utilizes color coding to surface and contextualize critical issues like inconsistent support follow-through or machines with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting enhances network value, lowers management hassle, and saves money. For details, see ProSight Reporting for ticketing and network monitoring platforms.
For Appleton 24-7 Ransomware Removal Experts, call Progent at 800-462-8800 or go to Contact Progent.