Ransomware : Your Feared IT Disaster
Ransomware  Recovery ConsultantsCrypto-Ransomware has become a modern cyber pandemic that presents an extinction-level danger for businesses poorly prepared for an attack. Versions of crypto-ransomware such as CryptoLocker, Fusob, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause harm. The latest strains of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, Snatch or Nephilim, plus frequent unnamed viruses, not only encrypt on-line critical data but also infiltrate any accessible system protection mechanisms. Data synched to the cloud can also be encrypted. In a poorly architected data protection solution, this can render automated recovery impossible and basically knocks the network back to zero.

Restoring services and information following a crypto-ransomware event becomes a race against the clock as the victim struggles to contain and remove the ransomware and to restore enterprise-critical operations. Because ransomware takes time to move laterally, assaults are usually sprung during nights and weekends, when attacks typically take longer to uncover. This compounds the difficulty of rapidly marshalling and orchestrating a capable mitigation team.

Progent has a range of services for protecting businesses from crypto-ransomware events. These include staff education to help identify and avoid phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, in addition to deployment of modern security gateways with AI technology from SentinelOne to discover and extinguish zero-day threats intelligently. Progent also offers the services of veteran crypto-ransomware recovery engineers with the talent and commitment to restore a compromised network as soon as possible.

Progent's Crypto-Ransomware Restoration Services
Following a ransomware attack, sending the ransom in Bitcoin cryptocurrency does not provide any assurance that criminal gangs will provide the needed keys to decrypt any or all of your data. Kaspersky Labs estimated that 17% of ransomware victims never restored their information after having paid the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the usual ransomware demands, which ZDNET estimates to be approximately $13,000. The alternative is to piece back together the mission-critical elements of your IT environment. Without access to complete system backups, this requires a wide complement of IT skills, top notch project management, and the capability to work 24x7 until the recovery project is completed.

For twenty years, Progent has provided professional IT services for businesses in Buffalo and across the US and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's pool of subject matter experts includes consultants who have attained advanced industry certifications in foundation technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's cyber security experts have garnered internationally-renowned certifications including CISM, CISSP, CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience in financial management and ERP applications. This breadth of expertise affords Progent the ability to quickly understand necessary systems and consolidate the surviving pieces of your network environment after a crypto-ransomware event and assemble them into a functioning network.

Progent's recovery group utilizes powerful project management systems to orchestrate the complex restoration process. Progent understands the urgency of acting rapidly and together with a customer's management and IT team members to prioritize tasks and to get essential services back on line as soon as possible.

Customer Case Study: A Successful Crypto-Ransomware Intrusion Response
A small business engaged Progent after their network system was brought down by Ryuk ransomware. Ryuk is thought to have been developed by North Korean state sponsored cybercriminals, possibly using strategies exposed from the United States NSA organization. Ryuk attacks specific businesses with little ability to sustain disruption and is among the most lucrative iterations of ransomware. Major victims include Data Resolution, a California-based information warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a small manufacturing business based in the Chicago metro area with around 500 workers. The Ryuk penetration had frozen all company operations and manufacturing processes. The majority of the client's information backups had been on-line at the time of the intrusion and were destroyed. The client considered paying the ransom demand (more than two hundred thousand dollars) and wishfully thinking for good luck, but ultimately called Progent.


"I can't thank you enough about the help Progent provided us during the most critical time of (our) businesses life. We had little choice but to pay the cyber criminals behind the attack if not for the confidence the Progent team provided us. The fact that you could get our messaging and essential applications back online in less than one week was earth shattering. Each staff member I interacted with or messaged at Progent was hell bent on getting our system up and was working day and night on our behalf."

Progent worked hand in hand the client to quickly get our arms around and prioritize the most important areas that needed to be addressed to make it possible to resume company functions:

  • Microsoft Active Directory
  • Microsoft Exchange Server
  • MRP System
To get going, Progent followed ransomware incident response industry best practices by halting lateral movement and cleaning systems of viruses. Progent then began the steps of recovering Microsoft AD, the foundation of enterprise networks built on Microsoft Windows Server technology. Microsoft Exchange Server email will not work without Windows AD, and the customer's accounting and MRP system leveraged SQL Server, which depends on Active Directory services for access to the database.

Within 48 hours, Progent was able to rebuild Windows Active Directory to its pre-intrusion state. Progent then assisted with reinstallations and hard drive recovery of mission critical systems. All Exchange Server data and configuration information were intact, which facilitated the restore of Exchange. Progent was able to assemble non-encrypted OST files (Outlook Email Offline Folder Files) on various workstations in order to recover mail data. A not too old offline backup of the client's financials/ERP systems made it possible to recover these required applications back available to users. Although a large amount of work still had to be done to recover completely from the Ryuk event, core services were restored quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we did not miss any customer deliverables."

Over the next month critical milestones in the recovery process were achieved through close collaboration between Progent engineers and the client:

  • Internal web sites were restored with no loss of data.
  • The MailStore Exchange Server containing more than four million historical messages was brought on-line and available for users.
  • CRM/Customer Orders/Invoicing/Accounts Payable (AP)/Accounts Receivables (AR)/Inventory Control modules were 100 percent functional.
  • A new Palo Alto 850 firewall was brought online.
  • Most of the user PCs were back into operation.

"Much of what occurred those first few days is nearly entirely a fog for me, but our team will not soon forget the dedication all of the team accomplished to give us our company back. I've been working with Progent for the past ten years, maybe more, and every time I needed help Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A likely business-killing catastrophe was dodged by dedicated professionals, a broad array of technical expertise, and close teamwork. Although in analyzing the event afterwards the ransomware penetration detailed here could have been shut down with advanced security technology solutions and recognized best practices, team education, and properly executed incident response procedures for data protection and applying software patches, the fact remains that state-sponsored cyber criminals from China, Russia, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware attack, remember that Progent's roster of professionals has proven experience in ransomware virus defense, mitigation, and file recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Tony and Chris (along with others who were helping), thank you for allowing me to get rested after we made it over the first week. Everyone did an impressive effort, and if anyone that helped is in the Chicago area, a great meal is the least I can do!"

To read or download a PDF version of this ransomware incident report, click:
Progent's Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Crypto-Ransomware Protection Services Offered by Progent
Progent offers businesses in Buffalo a portfolio of online monitoring and security evaluation services to help you to minimize the threat from ransomware. These services utilize next-generation AI technology to detect zero-day variants of crypto-ransomware that can escape detection by traditional signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring (ASM) is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior machine learning technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which routinely escape traditional signature-based anti-virus products. ProSight ASM safeguards local and cloud resources and provides a unified platform to address the complete threat progression including protection, detection, mitigation, cleanup, and forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Protection and Microsoft Exchange Filtering
    ProSight Enhanced Security Protection services offer affordable in-depth protection for physical servers and VMs, desktops, mobile devices, and Exchange email. ProSight ESP uses adaptive security and advanced heuristics for continuously monitoring and reacting to security assaults from all attack vectors. ProSight ESP offers two-way firewall protection, penetration alerts, device management, and web filtering via leading-edge tools incorporated within one agent accessible from a single console. Progent's security and virtualization consultants can help you to plan and implement a ProSight ESP environment that addresses your organization's specific requirements and that allows you demonstrate compliance with legal and industry data security standards. Progent will help you specify and configure policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent can also assist you to set up and test a backup and disaster recovery system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous cyber attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint security and Exchange email filtering.

  • ProSight Data Protection Services (DPS): Backup and Recovery Services
    Progent has partnered with leading backup software providers to create ProSight Data Protection Services, a selection of subscription-based management offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and track your backup operations and enable transparent backup and rapid restoration of important files/folders, apps, system images, plus Hyper-V and VMware virtual machines. ProSight DPS helps you avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, malicious insiders, or software glitches. Managed services available in the ProSight Data Protection Services product family include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda dedicated hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are best suited for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the technology of leading data security companies to deliver centralized management and world-class protection for your inbound and outbound email. The powerful structure of Progent's Email Guard combines a Cloud Protection Layer with a local security gateway device to provide complete defense against spam, viruses, Denial of Service Attacks, DHAs, and other email-borne threats. The cloud filter acts as a first line of defense and blocks most unwanted email from reaching your network firewall. This reduces your exposure to external attacks and saves system bandwidth and storage space. Email Guard's onsite gateway appliance adds a further layer of inspection for incoming email. For outbound email, the on-premises gateway provides AV and anti-spam protection, DLP, and email encryption. The local gateway can also help Exchange Server to monitor and protect internal email that stays within your corporate firewall. For more details, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Management
    Progent's ProSight WAN Watch is an infrastructure monitoring and management service that makes it simple and inexpensive for small and mid-sized businesses to diagram, monitor, optimize and debug their networking hardware like switches, firewalls, and wireless controllers as well as servers, endpoints and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network diagrams are kept updated, copies and manages the configuration information of virtually all devices on your network, tracks performance, and generates notices when problems are detected. By automating time-consuming management processes, ProSight WAN Watch can cut hours off common tasks such as making network diagrams, expanding your network, locating appliances that need important updates, or identifying the cause of performance bottlenecks. Learn more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by tracking the health of vital assets that drive your information system. When ProSight LAN Watch uncovers a problem, an alarm is transmitted immediately to your specified IT staff and your Progent consultant so all potential issues can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual machine host set up and managed by Progent's IT support experts. With Progent's ProSight Virtual Hosting model, the client owns the data, the operating system software, and the applications. Because the system is virtualized, it can be moved immediately to an alternate hardware environment without a time-consuming and technically risky reinstallation procedure. With ProSight Virtual Hosting, you are not locked into a single hosting service. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that makes it easy to create, maintain, retrieve and safeguard data about your IT infrastructure, procedures, applications, and services. You can instantly locate passwords or IP addresses and be alerted about upcoming expirations of SSLs or warranties. By cleaning up and managing your IT documentation, you can save as much as 50% of time wasted looking for critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your network infrastructure like standard operating procedures and self-service instructions. ProSight IT Asset Management also offers advanced automation for gathering and associating IT data. Whether you're planning improvements, doing maintenance, or reacting to an emergency, ProSight IT Asset Management gets you the knowledge you need as soon as you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection managed service that utilizes next generation behavior-based machine learning technology to defend endpoint devices and physical and virtual servers against new malware attacks such as ransomware and file-less exploits, which easily evade traditional signature-based anti-virus products. Progent ASM services protect local and cloud-based resources and offers a single platform to manage the entire malware attack lifecycle including filtering, infiltration detection, mitigation, cleanup, and post-attack forensics. Key capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and real-time network-wide immunization against newly discovered threats. Find out more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Call Desk: Support Desk Managed Services
    Progent's Help Desk managed services enable your IT staff to outsource Help Desk services to Progent or divide responsibilities for support services transparently between your internal network support resources and Progent's nationwide roster of certified IT support engineers and subject matter experts (SMEs). Progent's Co-managed Help Desk Service provides a transparent supplement to your internal network support organization. Client access to the Help Desk, delivery of support, issue escalation, trouble ticket creation and updates, efficiency measurement, and maintenance of the service database are consistent whether issues are taken care of by your core IT support resources, by Progent's team, or both. Learn more about Progent's outsourced/co-managed Service Center services.

  • Progent's Patch Management: Patch Management Services
    Progent's managed services for software and firmware patch management offer organizations of all sizes a versatile and affordable solution for evaluating, testing, scheduling, applying, and documenting updates to your dynamic IT network. In addition to optimizing the protection and functionality of your computer environment, Progent's patch management services permit your IT team to focus on line-of-business projects and tasks that deliver the highest business value from your network. Read more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: ID Confirmation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo authentication managed services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication. Duo enables one-tap identity confirmation on iOS, Google Android, and other personal devices. With 2FA, when you log into a secured application and enter your password you are requested to verify your identity on a unit that only you possess and that uses a different ("out-of-band") network channel. A broad selection of out-of-band devices can be utilized for this second means of authentication such as a smartphone or watch, a hardware token, a landline telephone, etc. You can register multiple validation devices. To find out more about Duo two-factor identity authentication services, visit Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: In-depth Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of real-time and in-depth management reporting tools created to integrate with the leading ticketing and network monitoring platforms such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize critical issues like spotty support follow-up or endpoints with missing patches. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Buffalo 24x7x365 CryptoLocker Removal Experts, contact Progent at 800-462-8800 or go to Contact Progent.