Ransomware : Your Worst IT Disaster
Ransomware  Remediation ConsultantsRansomware has become a modern cyber pandemic that poses an enterprise-level threat for businesses vulnerable to an attack. Multiple generations of crypto-ransomware like the Reveton, CryptoWall, Locky, SamSam and MongoLock cryptoworms have been running rampant for years and continue to cause havoc. The latest versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent unnamed newcomers, not only encrypt on-line files but also infect most available system backup. Data synched to cloud environments can also be corrupted. In a vulnerable system, this can render automated recovery useless and effectively sets the entire system back to zero.

Recovering applications and data following a ransomware intrusion becomes a sprint against time as the targeted business tries its best to contain the damage and clear the ransomware and to resume mission-critical operations. Because ransomware takes time to move laterally, assaults are frequently sprung during nights and weekends, when penetrations tend to take longer to recognize. This multiplies the difficulty of quickly mobilizing and coordinating a qualified response team.

Progent has a range of help services for protecting businesses from crypto-ransomware attacks. Among these are user training to help recognize and avoid phishing attempts, ProSight Active Security Monitoring (ASM) for remote monitoring and management, along with setup and configuration of modern security solutions with AI capabilities from SentinelOne to discover and suppress new threats quickly. Progent in addition can provide the assistance of veteran crypto-ransomware recovery consultants with the track record and perseverance to re-deploy a breached network as soon as possible.

Progent's Ransomware Restoration Support Services
Following a ransomware event, sending the ransom demands in Bitcoin cryptocurrency does not guarantee that criminal gangs will return the needed codes to unencrypt all your information. Kaspersky estimated that 17% of crypto-ransomware victims never restored their information after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms often range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to setup from scratch the key parts of your IT environment. Absent access to complete data backups, this calls for a wide range of skill sets, well-coordinated project management, and the capability to work 24x7 until the job is completed.

For decades, Progent has made available professional IT services for businesses in Appleton and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained advanced certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security engineers have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Refer to Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience gives Progent the skills to efficiently identify important systems and integrate the surviving pieces of your IT environment after a crypto-ransomware event and rebuild them into a functioning system.

Progent's ransomware team has best of breed project management tools to coordinate the complicated recovery process. Progent knows the urgency of working rapidly and together with a customer's management and Information Technology team members to assign priority to tasks and to put essential applications back on line as soon as humanly possible.

Customer Story: A Successful Ransomware Incident Recovery
A small business escalated to Progent after their organization was crashed by Ryuk ransomware. Ryuk is generally considered to have been launched by Northern Korean state sponsored hackers, suspected of adopting techniques leaked from the United States NSA organization. Ryuk seeks specific businesses with little tolerance for disruption and is among the most profitable instances of ransomware. Well Known victims include Data Resolution, a California-based info warehousing and cloud computing business, and the Chicago Tribune. Progent's client is a small manufacturer based in the Chicago metro area and has about 500 staff members. The Ryuk event had paralyzed all company operations and manufacturing processes. The majority of the client's information backups had been online at the start of the attack and were damaged. The client was evaluating paying the ransom (in excess of two hundred thousand dollars) and wishfully thinking for good luck, but ultimately utilized Progent.


"I can't tell you enough about the support Progent provided us during the most critical time of (our) businesses life. We had little choice but to pay the criminal gangs except for the confidence the Progent group afforded us. The fact that you were able to get our messaging and important servers back quicker than one week was beyond my wildest dreams. Every single expert I interacted with or e-mailed at Progent was totally committed on getting us back online and was working 24 by 7 to bail us out."

Progent worked together with the customer to rapidly determine and assign priority to the critical services that had to be recovered in order to continue business operations:

  • Microsoft Active Directory
  • Electronic Messaging
  • MRP System
To get going, Progent followed ransomware event mitigation best practices by stopping the spread and disinfecting systems. Progent then initiated the task of recovering Windows Active Directory, the key technology of enterprise environments built on Microsoft Windows Server technology. Microsoft Exchange messaging will not operate without AD, and the businesses' financials and MRP system leveraged Microsoft SQL Server, which depends on Active Directory services for authentication to the data.

Within two days, Progent was able to restore Active Directory services to its pre-intrusion state. Progent then completed reinstallations and storage recovery on essential applications. All Exchange Server schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was also able to locate local OST data files (Outlook Off-Line Folder Files) on user workstations in order to recover email messages. A recent offline backup of the client's manufacturing software made it possible to restore these essential services back online for users. Although a lot of work was left to recover completely from the Ryuk attack, essential services were recovered quickly:


"For the most part, the production operation showed little impact and we made all customer sales."

Over the following few weeks important milestones in the restoration project were completed through close collaboration between Progent team members and the customer:

  • Internal web applications were brought back up with no loss of data.
  • The MailStore Exchange Server containing more than four million archived messages was brought on-line and accessible to users.
  • CRM/Orders/Invoices/AP/AR/Inventory capabilities were fully restored.
  • A new Palo Alto 850 firewall was installed and configured.
  • 90% of the user desktops and notebooks were being used by staff.

"A huge amount of what was accomplished those first few days is nearly entirely a blur for me, but we will not forget the care each of the team put in to give us our business back. I've been working together with Progent for at least 10 years, possibly more, and each time I needed help Progent has outperformed my expectations and delivered as promised. This event was a stunning achievement."

Conclusion
A potential business disaster was averted through the efforts of dedicated experts, a broad range of knowledge, and tight collaboration. Although in retrospect the ransomware incident described here could have been disabled with advanced cyber security technology solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well thought out security procedures for data backup and keeping systems up to date with security patches, the fact remains that government-sponsored criminal cyber gangs from China, Russia, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a ransomware attack, remember that Progent's roster of professionals has proven experience in ransomware virus defense, cleanup, and file restoration.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others that were involved), thank you for making it so I could get some sleep after we got past the initial fire. Everyone did an fabulous job, and if any of your team is in the Chicago area, a great meal is on me!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent can provide companies in Appleton a range of remote monitoring and security evaluation services to help you to reduce your vulnerability to ransomware. These services incorporate next-generation artificial intelligence technology to detect zero-day variants of ransomware that can escape detection by traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's cutting edge behavior-based analysis tools to guard physical and virtual endpoints against modern malware attacks like ransomware and email phishing, which easily get by traditional signature-based AV tools. ProSight ASM protects on-premises and cloud resources and provides a unified platform to manage the complete threat progression including blocking, identification, containment, cleanup, and forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Learn more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection managed services deliver ultra-affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Microsoft Exchange. ProSight ESP utilizes adaptive security and modern behavior analysis for round-the-clock monitoring and responding to cyber assaults from all attack vectors. ProSight ESP delivers two-way firewall protection, penetration alarms, device management, and web filtering through leading-edge tools incorporated within a single agent managed from a single control. Progent's data protection and virtualization experts can assist your business to design and configure a ProSight ESP deployment that meets your company's specific needs and that helps you prove compliance with legal and industry data protection standards. Progent will help you define and configure policies that ProSight ESP will enforce, and Progent will monitor your IT environment and respond to alarms that require urgent attention. Progent's consultants can also help you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services (DPS) so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has worked with advanced backup/restore technology providers to produce ProSight Data Protection Services, a family of management outsourcing plans that provide backup-as-a-service (BaaS). ProSight DPS products automate and monitor your data backup operations and allow transparent backup and rapid restoration of vital files/folders, applications, system images, and VMs. ProSight DPS lets you protect against data loss resulting from equipment breakdown, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or application bugs. Managed backup services available in the ProSight DPS product line include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can help you to identify which of these managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that uses the infrastructure of top data security companies to provide web-based control and comprehensive protection for your email traffic. The powerful architecture of Email Guard combines a Cloud Protection Layer with an on-premises security gateway appliance to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based threats. Email Guard's cloud filter acts as a preliminary barricade and blocks most unwanted email from reaching your security perimeter. This reduces your exposure to inbound threats and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance provides a deeper layer of inspection for inbound email. For outgoing email, the local security gateway offers anti-virus and anti-spam protection, policy-based Data Loss Prevention, and email encryption. The on-premises security gateway can also help Microsoft Exchange Server to monitor and safeguard internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it simple and inexpensive for small and mid-sized organizations to diagram, track, reconfigure and debug their networking appliances such as routers, firewalls, and load balancers plus servers, printers, endpoints and other networked devices. Incorporating state-of-the-art Remote Monitoring and Management (RMM) technology, ProSight WAN Watch makes sure that infrastructure topology maps are kept updated, copies and manages the configuration information of virtually all devices connected to your network, monitors performance, and generates notices when issues are discovered. By automating complex management activities, WAN Watch can knock hours off ordinary chores such as making network diagrams, expanding your network, finding devices that need critical software patches, or resolving performance problems. Learn more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring service that uses advanced remote monitoring and management techniques to help keep your IT system running efficiently by checking the health of vital computers that power your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted automatically to your designated IT management personnel and your assigned Progent consultant so all potential issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small organization can have its critical servers and applications hosted in a protected fault tolerant data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting service model, the client owns the data, the operating system platforms, and the applications. Because the system is virtualized, it can be moved easily to a different hosting environment without a time-consuming and difficult configuration process. With ProSight Virtual Hosting, your business is not tied a single hosting provider. Learn more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, find and safeguard data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or IP addresses and be warned automatically about upcoming expirations of SSL certificates or warranties. By updating and organizing your IT documentation, you can save as much as 50% of time thrown away looking for vital information about your IT network. ProSight IT Asset Management features a centralized repository for holding and collaborating on all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for collecting and relating IT data. Whether you're planning improvements, performing maintenance, or reacting to a crisis, ProSight IT Asset Management delivers the data you require as soon as you need it. Find out more about Progent's ProSight IT Asset Management service.

  • Progent Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that incorporates cutting edge behavior-based analysis tools to guard endpoint devices and physical and virtual servers against new malware attacks like ransomware and file-less exploits, which routinely get by legacy signature-based AV tools. Progent Active Security Monitoring services protect local and cloud-based resources and offers a single platform to address the entire threat lifecycle including blocking, identification, containment, remediation, and forensics. Key capabilities include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Find out more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Support Center services permit your information technology group to outsource Help Desk services to Progent or split responsibilities for Service Desk support seamlessly between your internal network support resources and Progent's extensive roster of certified IT service engineers and subject matter experts. Progent's Shared Help Desk Service provides a smooth extension of your core support group. End user interaction with the Service Desk, delivery of support, escalation, trouble ticket creation and updates, efficiency metrics, and management of the support database are consistent whether issues are resolved by your internal IT support group, by Progent, or by a combination. Find out more about Progent's outsourced/co-managed Help Center services.

  • Progent's Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a versatile and cost-effective solution for evaluating, validating, scheduling, applying, and documenting software and firmware updates to your ever-evolving information network. In addition to optimizing the security and reliability of your IT network, Progent's software/firmware update management services allow your in-house IT team to concentrate on line-of-business projects and activities that deliver the highest business value from your network. Read more about Progent's patch management support services.

  • ProSight Duo Two-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services incorporate Cisco's Duo cloud technology to defend against compromised passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation with Apple iOS, Android, and other personal devices. With Duo 2FA, whenever you log into a secured online account and enter your password you are requested to confirm your identity via a device that only you have and that is accessed using a different ("out-of-band") network channel. A broad selection of out-of-band devices can be used for this added means of authentication such as an iPhone or Android or watch, a hardware/software token, a landline phone, etc. You may register several validation devices. For more information about ProSight Duo two-factor identity authentication services, go to Duo MFA two-factor authentication services.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is a growing family of real-time and in-depth reporting plug-ins created to integrate with the top ticketing and network monitoring applications such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or endpoints with missing patches. By identifying ticketing or network health problems concisely and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For details, see ProSight Reporting for ticketing and network monitoring applications.
For Appleton 24-7 Crypto Removal Support Services, contact Progent at 800-462-8800 or go to Contact Progent.