Ransomware : Your Crippling IT Catastrophe
Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyber pandemic that represents an enterprise-level danger for organizations unprepared for an assault. Versions of ransomware such as CrySIS, Fusob, Bad Rabbit, Syskey and MongoLock cryptoworms have been circulating for a long time and still inflict harm. More recent versions of ransomware like Ryuk, Maze, Sodinokibi, Netwalker, LockBit or Egregor, along with daily as yet unnamed newcomers, not only do encryption of on-line data but also infect all configured system backup. Files replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed data protection solution, this can render automated recovery hopeless and basically sets the network back to zero.

Getting back programs and data after a ransomware outage becomes a sprint against the clock as the targeted organization fights to contain and cleanup the virus and to restore enterprise-critical operations. Because ransomware requires time to move laterally, attacks are usually sprung during nights and weekends, when successful attacks are likely to take longer to uncover. This multiplies the difficulty of promptly assembling and coordinating an experienced mitigation team.

Progent offers an assortment of solutions for securing enterprises from crypto-ransomware penetrations. Among these are team member training to help identify and not fall victim to phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security gateways with machine learning capabilities from SentinelOne to detect and extinguish new cyber threats intelligently. Progent in addition offers the services of seasoned ransomware recovery consultants with the talent and perseverance to reconstruct a compromised system as rapidly as possible.

Progent's Ransomware Restoration Support Services
Soon after a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not provide any assurance that cyber criminals will provide the keys to decrypt all your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their files even after having sent off the ransom, resulting in additional losses. The risk is also expensive. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET determined to be around $13,000. The alternative is to piece back together the key parts of your IT environment. Without the availability of essential system backups, this calls for a wide range of skill sets, professional project management, and the ability to work continuously until the task is finished.

For decades, Progent has provided professional Information Technology services for companies in Buffalo and throughout the US and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts includes engineers who have attained top industry certifications in leading technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security specialists have garnered internationally-renowned industry certifications including CISM, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Refer to Progent's certifications). Progent also has experience with accounting and ERP software solutions. This breadth of experience provides Progent the ability to knowledgably understand necessary systems and re-organize the remaining pieces of your IT system after a ransomware attack and rebuild them into a functioning network.

Progent's security team uses powerful project management tools to orchestrate the sophisticated restoration process. Progent knows the importance of acting swiftly and in unison with a client's management and Information Technology resources to prioritize tasks and to get critical applications back on line as fast as humanly possible.

Customer Case Study: A Successful Crypto-Ransomware Incident Restoration
A business escalated to Progent after their network system was crashed by the Ryuk ransomware. Ryuk is believed to have been created by Northern Korean state sponsored cybercriminals, possibly using algorithms leaked from America's NSA organization. Ryuk attacks specific organizations with little or no ability to sustain disruption and is one of the most lucrative instances of ransomware malware. Well Known victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a regional manufacturing business located in the Chicago metro area with about 500 staff members. The Ryuk intrusion had shut down all essential operations and manufacturing capabilities. Most of the client's information backups had been online at the time of the attack and were encrypted. The client was evaluating paying the ransom demand (more than $200,000) and praying for good luck, but ultimately brought in Progent.


"I cannot thank you enough about the care Progent gave us throughout the most critical time of (our) company's survival. We most likely would have paid the cybercriminals if not for the confidence the Progent experts gave us. That you were able to get our messaging and production applications back on-line quicker than five days was something I thought impossible. Every single expert I worked with or communicated with at Progent was absolutely committed on getting us operational and was working 24/7 on our behalf."

Progent worked with the client to quickly understand and assign priority to the key areas that had to be addressed to make it possible to resume company operations:

  • Windows Active Directory
  • Electronic Mail
  • MRP System
To start, Progent adhered to AV/Malware Processes penetration mitigation best practices by stopping the spread and removing active viruses. Progent then began the task of rebuilding Microsoft Active Directory, the key technology of enterprise environments built on Microsoft technology. Microsoft Exchange Server email will not work without Windows AD, and the client's financials and MRP software leveraged Microsoft SQL, which depends on Windows AD for security authorization to the information.

Within 2 days, Progent was able to restore Windows Active Directory to its pre-virus state. Progent then completed setup and hard drive recovery of key systems. All Microsoft Exchange Server schema and attributes were usable, which accelerated the rebuild of Exchange. Progent was able to locate local OST files (Outlook Email Offline Data Files) on various workstations and laptops to recover mail information. A not too old off-line backup of the customer's manufacturing systems made them able to recover these essential programs back available to users. Although major work was left to recover completely from the Ryuk event, essential services were returned to operations quickly:


"For the most part, the production line operation survived unscathed and we made all customer sales."

Over the next couple of weeks important milestones in the recovery project were accomplished through close collaboration between Progent engineers and the client:

  • In-house web sites were brought back up with no loss of data.
  • The MailStore Exchange Server containing more than four million historical emails was brought online and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables (AR)/Inventory Control functions were 100% operational.
  • A new Palo Alto Networks 850 security appliance was installed and configured.
  • Ninety percent of the user PCs were fully operational.

"A huge amount of what was accomplished in the initial days is nearly entirely a haze for me, but we will not forget the urgency each of the team put in to give us our company back. I have been working with Progent for at least 10 years, maybe more, and each time I needed help Progent has impressed me and delivered as promised. This situation was a stunning achievement."

Conclusion
A likely business catastrophe was dodged by results-oriented experts, a broad spectrum of subject matter expertise, and close teamwork. Although in analyzing the event afterwards the crypto-ransomware virus incident described here could have been blocked with advanced cyber security systems and security best practices, team education, and well designed security procedures for information protection and proper patching controls, the reality remains that state-sponsored cyber criminals from China, North Korea and elsewhere are tireless and are an ongoing threat. If you do get hit by a crypto-ransomware incident, feel confident that Progent's roster of experts has a proven track record in crypto-ransomware virus defense, mitigation, and information systems recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen and Tony (and any others that were helping), thank you for making it so I could get some sleep after we made it past the first week. Everyone did an fabulous effort, and if anyone that helped is visiting the Chicago area, a great meal is the least I can do!"

To review or download a PDF version of this customer story, please click:
Progent's Crypto-Ransomware Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent offers companies in Buffalo a range of remote monitoring and security assessment services designed to assist you to minimize your vulnerability to ransomware. These services include next-generation artificial intelligence capability to uncover new variants of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection service that incorporates SentinelOne's next generation behavior-based analysis technology to guard physical and virtual endpoint devices against modern malware attacks like ransomware and file-less exploits, which easily escape legacy signature-based anti-virus tools. ProSight Active Security Monitoring safeguards local and cloud-based resources and provides a single platform to manage the entire threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Key features include one-click rollback with Windows Volume Shadow Copy Service and automatic system-wide immunization against newly discovered attacks. Progent is a SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Filtering
    Progent's ProSight Enhanced Security Protection services deliver ultra-affordable in-depth security for physical and virtual servers, desktops, smartphones, and Exchange Server. ProSight ESP uses contextual security and advanced machine learning for round-the-clock monitoring and reacting to cyber threats from all vectors. ProSight ESP delivers firewall protection, penetration alarms, endpoint control, and web filtering via cutting-edge tools incorporated within one agent accessible from a unified console. Progent's data protection and virtualization experts can help you to plan and implement a ProSight ESP deployment that addresses your organization's specific needs and that helps you demonstrate compliance with government and industry data protection regulations. Progent will assist you specify and implement policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require urgent action. Progent's consultants can also assist your company to install and test a backup and restore system such as ProSight Data Protection Services so you can get back in business rapidly from a potentially disastrous security attack like ransomware. Learn more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint security and Exchange filtering.

  • ProSight Data Protection Services: Managed Backup and Recovery Services
    Progent has worked with leading backup/restore software providers to produce ProSight Data Protection Services (DPS), a family of management outsourcing plans that provide backup-as-a-service. ProSight DPS products automate and track your data backup processes and enable transparent backup and rapid recovery of critical files, applications, system images, and Hyper-V and VMware virtual machines. ProSight DPS helps you recover from data loss caused by hardware failures, natural calamities, fire, cyber attacks such as ransomware, user mistakes, ill-intentioned insiders, or software bugs. Managed services in the ProSight DPS product family include ProSight DPS Ataro VM Backup, ProSight Ataro Office 365 Total Backup, ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Cloud and On-prem Backup. Your Progent consultant can assist you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering and email encryption service that uses the technology of leading information security vendors to deliver web-based control and comprehensive security for your inbound and outbound email. The hybrid architecture of Email Guard integrates cloud-based filtering with a local security gateway device to offer complete defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. Email Guard's cloud filter serves as a preliminary barricade and keeps the vast majority of threats from reaching your security perimeter. This reduces your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite security gateway appliance adds a deeper level of inspection for inbound email. For outbound email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also help Microsoft Exchange Server to track and protect internal email traffic that originates and ends within your security perimeter. For more information, see ProSight Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized businesses to map out, monitor, optimize and debug their networking hardware such as switches, firewalls, and access points plus servers, endpoints and other devices. Using cutting-edge Remote Monitoring and Management technology, WAN Watch ensures that infrastructure topology diagrams are kept current, copies and displays the configuration of almost all devices on your network, tracks performance, and sends alerts when problems are detected. By automating time-consuming network management activities, WAN Watch can cut hours off common chores like network mapping, expanding your network, finding devices that require critical software patches, or isolating performance problems. Find out more about ProSight WAN Watch network infrastructure monitoring and management consulting.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop remote monitoring service that uses state-of-the-art remote monitoring and management (RMM) techniques to keep your network running at peak levels by checking the health of vital assets that power your information system. When ProSight LAN Watch detects a problem, an alert is sent automatically to your specified IT management personnel and your assigned Progent engineering consultant so any potential issues can be resolved before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring services.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's Tier III Data Center
    With ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a protected Tier III data center on a high-performance virtual machine host configured and managed by Progent's IT support experts. Under Progent's ProSight Virtual Hosting service model, the client owns the data, the OS platforms, and the applications. Because the environment is virtualized, it can be ported immediately to a different hosting solution without requiring a time-consuming and difficult configuration procedure. With ProSight Virtual Hosting, your business is not locked into a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to capture, maintain, find and protect data about your IT infrastructure, procedures, applications, and services. You can quickly find passwords or serial numbers and be warned about impending expirations of SSLs or domains. By cleaning up and organizing your network documentation, you can eliminate up to half of time wasted trying to find critical information about your IT network. ProSight IT Asset Management features a centralized location for storing and sharing all documents required for managing your business network like standard operating procedures and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT data. Whether you're planning improvements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the information you require as soon as you need it. Learn more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) service that utilizes next generation behavior-based machine learning tools to defend endpoint devices and physical and virtual servers against modern malware attacks like ransomware and file-less exploits, which routinely get by traditional signature-based anti-virus products. Progent Active Security Monitoring services protect on-premises and cloud-based resources and provides a unified platform to manage the entire malware attack progression including blocking, detection, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new threats. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Call Center: Help Desk Managed Services
    Progent's Help Desk managed services allow your IT group to outsource Call Center services to Progent or split responsibilities for support services seamlessly between your in-house support resources and Progent's nationwide roster of IT service engineers and subject matter experts (SMEs). Progent's Shared Service Desk offers a smooth extension of your internal support group. User access to the Service Desk, provision of support services, issue escalation, trouble ticket creation and updates, efficiency metrics, and management of the support database are cohesive regardless of whether incidents are resolved by your corporate support staff, by Progent, or by a combination. Learn more about Progent's outsourced/shared Call Desk services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and affordable alternative for assessing, testing, scheduling, applying, and documenting updates to your dynamic IT network. Besides maximizing the security and functionality of your computer network, Progent's patch management services free up time for your IT team to focus on line-of-business projects and tasks that derive the highest business value from your network. Learn more about Progent's software/firmware update management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on (SSO)
    Progent's Duo MFA services utilize Cisco's Duo technology to defend against stolen passwords by using two-factor authentication (2FA). Duo supports single-tap identity verification on iOS, Android, and other personal devices. Using Duo 2FA, whenever you log into a protected online account and enter your password you are asked to confirm who you are via a unit that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be utilized for this added means of ID validation including an iPhone or Android or wearable, a hardware token, a landline phone, etc. You may register multiple verification devices. To find out more about ProSight Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
For Buffalo 24/7 Crypto-Ransomware Recovery Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.