Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ExpertsRansomware has become a modern cyber pandemic that presents an enterprise-level threat for businesses of all sizes unprepared for an attack. Multiple generations of ransomware such as Reveton, WannaCry, Locky, Syskey and MongoLock cryptoworms have been out in the wild for many years and still inflict damage. Recent versions of crypto-ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Conti or Egregor, as well as daily unnamed viruses, not only encrypt on-line critical data but also infect any available system backup. Data synched to cloud environments can also be rendered useless. In a vulnerable environment, this can render automated restore operations impossible and effectively sets the entire system back to zero.

Retrieving programs and data after a ransomware event becomes a race against the clock as the targeted organization fights to stop lateral movement and clear the virus and to restore mission-critical operations. Because ransomware takes time to replicate, assaults are frequently launched on weekends, when penetrations are likely to take longer to discover. This compounds the difficulty of rapidly assembling and orchestrating a capable mitigation team.

Progent provides a variety of support services for securing organizations from crypto-ransomware penetrations. These include staff education to help recognize and not fall victim to phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of the latest generation security gateways with machine learning technology from SentinelOne to identify and suppress new cyber attacks automatically. Progent also can provide the assistance of seasoned ransomware recovery engineers with the track record and commitment to reconstruct a compromised environment as rapidly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber hackers will return the codes to decipher any or all of your information. Kaspersky Labs ascertained that seventeen percent of ransomware victims never recovered their files after having paid the ransom, resulting in increased losses. The gamble is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly above the usual ransomware demands, which ZDNET averages to be around $13,000. The fallback is to re-install the essential elements of your Information Technology environment. Without access to full data backups, this requires a wide range of skills, well-coordinated project management, and the capability to work continuously until the recovery project is done.

For two decades, Progent has made available professional Information Technology services for businesses in Appleton and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts (SMEs) includes professionals who have earned top certifications in leading technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security specialists have garnered internationally-renowned certifications including CISM, CISSP-ISSAP, CRISC, and GIAC. (See Progent's certifications). Progent in addition has expertise in financial management and ERP software solutions. This breadth of expertise gives Progent the ability to quickly understand necessary systems and re-organize the remaining components of your network environment after a crypto-ransomware attack and assemble them into a functioning system.

Progent's ransomware group utilizes powerful project management systems to orchestrate the complicated recovery process. Progent knows the urgency of acting quickly and in unison with a client's management and IT team members to prioritize tasks and to put the most important systems back on-line as soon as humanly possible.

Client Case Study: A Successful Crypto-Ransomware Penetration Restoration
A customer contacted Progent after their network was penetrated by the Ryuk ransomware virus. Ryuk is believed to have been launched by North Korean state sponsored criminal gangs, suspected of adopting strategies leaked from the U.S. National Security Agency. Ryuk attacks specific businesses with little tolerance for operational disruption and is one of the most lucrative iterations of ransomware. Major targets include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a single-location manufacturing company located in the Chicago metro area and has around 500 employees. The Ryuk attack had frozen all company operations and manufacturing capabilities. Most of the client's backups had been online at the beginning of the attack and were encrypted. The client was pursuing financing for paying the ransom demand (more than two hundred thousand dollars) and praying for good luck, but ultimately made the decision to use Progent.


"I cannot thank you enough about the expertise Progent gave us during the most critical time of (our) businesses existence. We may have had to pay the criminal gangs if not for the confidence the Progent experts provided us. The fact that you were able to get our messaging and production applications back into operation quicker than five days was beyond my wildest dreams. Every single expert I got help from or texted at Progent was absolutely committed on getting my company operational and was working day and night on our behalf."

Progent worked together with the client to quickly understand and assign priority to the key applications that needed to be addressed in order to resume departmental functions:

  • Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent adhered to Anti-virus event mitigation industry best practices by stopping lateral movement and cleaning systems of viruses. Progent then initiated the steps of bringing back online Microsoft AD, the core of enterprise networks built upon Microsoft Windows technology. Exchange email will not work without AD, and the client's accounting and MRP system utilized Microsoft SQL, which depends on Active Directory for access to the databases.

In less than 2 days, Progent was able to restore Active Directory to its pre-penetration state. Progent then performed rebuilding and storage recovery on needed applications. All Exchange ties and configuration information were usable, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Off-Line Data Files) on staff desktop computers and laptops to recover mail messages. A recent off-line backup of the customerÔŅĹs financials/ERP software made it possible to recover these required programs back servicing users. Although a lot of work needed to be completed to recover fully from the Ryuk event, core systems were returned to operations quickly:


"For the most part, the production manufacturing operation ran fairly normal throughout and we did not miss any customer sales."

Throughout the next couple of weeks key milestones in the recovery process were achieved through tight cooperation between Progent team members and the customer:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Server exceeding 4 million historical emails was spun up and accessible to users.
  • CRM/Customer Orders/Invoices/AP/AR/Inventory Control capabilities were 100 percent functional.
  • A new Palo Alto 850 security appliance was installed.
  • 90% of the user desktops and notebooks were operational.

"A huge amount of what went on during the initial response is nearly entirely a fog for me, but my team will not soon forget the dedication each of your team put in to give us our business back. I have trusted Progent for the past 10 years, possibly more, and every time I needed help Progent has shined and delivered. This time was the most impressive ever."

Conclusion
A possible enterprise-killing disaster was avoided by dedicated experts, a wide array of knowledge, and close collaboration. Although in hindsight the ransomware virus attack described here should have been prevented with advanced cyber security technology solutions and recognized best practices, team training, and well thought out security procedures for data protection and keeping systems up to date with security patches, the reality remains that government-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware incursion, feel confident that Progent's team of experts has proven experience in ransomware virus blocking, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (along with others who were involved), thank you for making it so I could get rested after we got through the most critical parts. All of you did an incredible job, and if any of your guys is in the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Available from Progent
Progent can provide companies in Appleton a variety of online monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services utilize modern artificial intelligence technology to detect new variants of crypto-ransomware that are able to escape detection by traditional signature-based anti-virus products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection solution that incorporates SentinelOne's cutting edge behavior-based analysis technology to guard physical and virtual endpoints against new malware assaults like ransomware and email phishing, which routinely evade traditional signature-based AV products. ProSight Active Security Monitoring protects on-premises and cloud-based resources and provides a unified platform to manage the entire threat lifecycle including protection, identification, containment, cleanup, and forensics. Key features include one-click rollback using Windows VSS and automatic system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner. Find out more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection: Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer economical multi-layer protection for physical servers and virtual machines, workstations, mobile devices, and Exchange email. ProSight ESP utilizes adaptive security and advanced machine learning for round-the-clock monitoring and reacting to security threats from all attack vectors. ProSight ESP offers firewall protection, penetration alarms, device management, and web filtering via cutting-edge tools packaged within a single agent accessible from a unified control. Progent's data protection and virtualization consultants can help your business to design and implement a ProSight ESP environment that meets your organization's unique requirements and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your IT environment and respond to alerts that require urgent action. Progent's consultants can also assist your company to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can get back in business rapidly from a destructive cyber attack like ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has worked with leading backup/restore technology providers to produce ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS services manage and track your backup operations and enable non-disruptive backup and fast restoration of vital files/folders, applications, system images, plus VMs. ProSight DPS helps you avoid data loss resulting from equipment failures, natural disasters, fire, cyber attacks such as ransomware, human error, malicious insiders, or software bugs. Managed backup services in the ProSight Data Protection Services product line include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these managed services are most appropriate for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading data security companies to provide web-based control and comprehensive protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates a Cloud Protection Layer with a local security gateway appliance to offer advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's cloud filter serves as a preliminary barricade and blocks most threats from making it to your network firewall. This reduces your exposure to external attacks and saves network bandwidth and storage. Email Guard's onsite gateway appliance adds a further level of inspection for incoming email. For outgoing email, the on-premises security gateway offers anti-virus and anti-spam protection, DLP, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your corporate firewall. For more details, visit ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller organizations to map, track, reconfigure and troubleshoot their connectivity hardware such as switches, firewalls, and load balancers plus servers, endpoints and other networked devices. Using cutting-edge Remote Monitoring and Management (RMM) technology, WAN Watch makes sure that infrastructure topology diagrams are kept current, copies and displays the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating tedious network management activities, WAN Watch can cut hours off common chores like network mapping, reconfiguring your network, finding appliances that require important updates, or resolving performance problems. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progentís server and desktop remote monitoring managed service that incorporates advanced remote monitoring and management (RMM) technology to help keep your IT system operating efficiently by checking the state of vital assets that drive your business network. When ProSight LAN Watch uncovers an issue, an alarm is sent immediately to your specified IT management personnel and your assigned Progent consultant so that any looming issues can be addressed before they can disrupt your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure Tier III data center on a high-performance virtual host set up and maintained by Progent's network support professionals. With the ProSight Virtual Hosting service model, the customer retains ownership of the data, the OS software, and the applications. Since the environment is virtualized, it can be ported easily to a different hardware solution without a lengthy and technically risky configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to create, update, retrieve and protect data about your IT infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned about upcoming expirations of SSL certificates or domains. By updating and organizing your network documentation, you can save up to half of time wasted looking for vital information about your network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers a high level of automation for gathering and relating IT data. Whether youíre planning enhancements, performing regular maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the data you require the instant you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Active Defense Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) service that utilizes cutting edge behavior analysis tools to defend endpoints and physical and virtual servers against new malware assaults like ransomware and email phishing, which routinely escape traditional signature-based AV products. Progent ASM services protect on-premises and cloud-based resources and provides a unified platform to address the complete malware attack progression including filtering, detection, mitigation, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Find out more about Progent's ransomware protection and cleanup services.

  • Outsourced/Co-managed Call Desk: Call Center Managed Services
    Progent's Call Desk managed services allow your IT staff to offload Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your in-house support staff and Progent's extensive pool of IT support engineers and subject matter experts (SMEs). Progent's Shared Service Desk provides a smooth extension of your corporate IT support resources. End user interaction with the Help Desk, provision of support services, escalation, ticket generation and tracking, efficiency metrics, and maintenance of the support database are cohesive regardless of whether incidents are resolved by your core support staff, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer businesses of all sizes a versatile and affordable solution for evaluating, validating, scheduling, implementing, and tracking updates to your ever-evolving information network. In addition to optimizing the security and reliability of your computer network, Progent's software/firmware update management services allow your in-house IT staff to concentrate on more strategic initiatives and tasks that derive maximum business value from your information network. Read more about Progent's patch management services.

  • ProSight Duo Two-Factor Authentication: Identity Validation, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo technology to protect against compromised passwords through the use of two-factor authentication (2FA). Duo enables one-tap identity confirmation with iOS, Android, and other personal devices. With 2FA, when you log into a protected online account and give your password you are requested to confirm who you are on a unit that only you have and that uses a separate network channel. A wide range of devices can be utilized as this second form of authentication such as an iPhone or Android or watch, a hardware token, a landline phone, etc. You may designate several validation devices. For more information about ProSight Duo two-factor identity validation services, see Duo MFA two-factor authentication (2FA) services.
For Appleton 24/7/365 Crypto-Ransomware Recovery Help, reach out to Progent at 800-462-8800 or go to Contact Progent.