Ransomware : Your Feared Information Technology Nightmare
Ransomware  Recovery ProfessionalsRansomware has become a too-frequent cyber pandemic that represents an enterprise-level danger for businesses of all sizes poorly prepared for an attack. Different versions of ransomware such as Reveton, CryptoWall, Bad Rabbit, Syskey and MongoLock cryptoworms have been around for years and continue to inflict harm. Modern versions of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Conti or Egregor, plus frequent as yet unnamed malware, not only do encryption of online information but also infect any configured system backup. Information replicated to off-site disaster recovery sites can also be corrupted. In a poorly designed system, this can make automated restoration hopeless and effectively knocks the network back to square one.

Retrieving services and data after a crypto-ransomware outage becomes a sprint against time as the targeted organization struggles to stop lateral movement and clear the ransomware and to restore business-critical activity. Since ransomware takes time to spread, attacks are often sprung during weekends and nights, when attacks typically take longer to uncover. This multiplies the difficulty of quickly marshalling and organizing a knowledgeable mitigation team.

Progent makes available a range of help services for securing organizations from ransomware penetrations. These include user education to become familiar with and not fall victim to phishing scams, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus deployment of the latest generation security gateways with artificial intelligence capabilities from SentinelOne to identify and suppress day-zero cyber threats automatically. Progent also offers the assistance of expert ransomware recovery consultants with the talent and commitment to rebuild a compromised environment as urgently as possible.

Progent's Ransomware Restoration Support Services
Subsequent to a ransomware event, even paying the ransom in Bitcoin cryptocurrency does not guarantee that cyber hackers will return the needed codes to unencrypt any or all of your files. Kaspersky Labs estimated that 17% of ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is significantly higher than the typical crypto-ransomware demands, which ZDNET estimates to be in the range of $13,000. The fallback is to piece back together the vital components of your IT environment. Without access to complete data backups, this calls for a broad complement of skills, top notch team management, and the ability to work non-stop until the task is done.

For twenty years, Progent has made available expert IT services for businesses in Lima and across the United States and has earned Microsoft's Gold Partnership certification in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes consultants who have earned top industry certifications in key technologies including Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security specialists have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (See Progent's certifications). Progent in addition has experience with accounting and ERP software solutions. This breadth of expertise gives Progent the capability to rapidly determine important systems and organize the remaining pieces of your IT system following a ransomware penetration and rebuild them into an operational system.

Progent's ransomware group deploys state-of-the-art project management applications to coordinate the complex recovery process. Progent appreciates the urgency of acting rapidly and together with a client's management and Information Technology staff to prioritize tasks and to put key services back on-line as fast as possible.

Case Study: A Successful Crypto-Ransomware Virus Restoration
A small business engaged Progent after their company was brought down by Ryuk crypto-ransomware. Ryuk is believed to have been deployed by Northern Korean state sponsored cybercriminals, possibly adopting techniques exposed from the U.S. National Security Agency. Ryuk attacks specific businesses with little ability to sustain operational disruption and is among the most lucrative instances of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing firm, and the Chicago Tribune. Progent's customer is a small manufacturer based in Chicago and has about 500 employees. The Ryuk intrusion had frozen all essential operations and manufacturing processes. The majority of the client's system backups had been directly accessible at the time of the intrusion and were damaged. The client considered paying the ransom (exceeding $200,000) and hoping for the best, but ultimately brought in Progent.


"I can't thank you enough in regards to the expertise Progent provided us throughout the most critical time of (our) company's survival. We most likely would have paid the cyber criminals except for the confidence the Progent group provided us. That you could get our e-mail system and important applications back on-line in less than one week was incredible. Every single person I talked with or texted at Progent was amazingly focused on getting us operational and was working non-stop on our behalf."

Progent worked together with the customer to quickly understand and prioritize the key elements that had to be restored to make it possible to continue company operations:

  • Active Directory (AD)
  • Microsoft Exchange Email
  • Accounting and Manufacturing Software
To start, Progent followed AV/Malware Processes penetration response best practices by halting lateral movement and clearing up compromised systems. Progent then started the process of recovering Microsoft AD, the core of enterprise networks built on Microsoft technology. Microsoft Exchange Server messaging will not operate without AD, and the businesses' accounting and MRP applications used SQL Server, which needs Windows AD for access to the database.

Within 2 days, Progent was able to re-build Active Directory to its pre-attack state. Progent then assisted with setup and hard drive recovery of essential servers. All Exchange schema and configuration information were intact, which greatly helped the restore of Exchange. Progent was able to collect non-encrypted OST data files (Microsoft Outlook Off-Line Folder Files) on user desktop computers and laptops in order to recover mail messages. A recent offline backup of the customer's accounting software made them able to return these vital programs back on-line. Although major work was left to recover completely from the Ryuk attack, core services were returned to operations quickly:


"For the most part, the manufacturing operation survived unscathed and we produced all customer sales."

Throughout the following couple of weeks important milestones in the recovery project were achieved in close cooperation between Progent engineers and the client:

  • Self-hosted web applications were returned to operation with no loss of information.
  • The MailStore Microsoft Exchange Server exceeding 4 million historical messages was spun up and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable/AR/Inventory functions were fully restored.
  • A new Palo Alto 850 security appliance was deployed.
  • Ninety percent of the user PCs were back into operation.

"So much of what went on that first week is mostly a haze for me, but we will not soon forget the care each and every one of your team put in to give us our business back. I've been working with Progent for the past ten years, maybe more, and every time I needed help Progent has come through and delivered as promised. This situation was a life saver."

Conclusion
A possible enterprise-killing disaster was avoided by hard-working professionals, a wide range of knowledge, and close collaboration. Although in analyzing the event afterwards the crypto-ransomware virus penetration detailed here would have been prevented with up-to-date cyber security solutions and ISO/IEC 27001 best practices, staff training, and appropriate incident response procedures for information backup and keeping systems up to date with security patches, the reality is that state-sponsored hackers from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a crypto-ransomware attack, remember that Progent's roster of experts has a proven track record in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were helping), thank you for letting me get rested after we got past the initial push. All of you did an fabulous effort, and if anyone that helped is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, please click:
Progent's Ransomware Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Lima a variety of online monitoring and security assessment services designed to assist you to minimize the threat from ransomware. These services include modern artificial intelligence capability to uncover new strains of ransomware that are able to get past legacy signature-based security products.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that utilizes SentinelOne's next generation behavior analysis technology to guard physical and virtual endpoint devices against modern malware assaults like ransomware and file-less exploits, which easily evade traditional signature-matching anti-virus tools. ProSight ASM safeguards local and cloud-based resources and provides a single platform to address the complete threat lifecycle including filtering, identification, containment, remediation, and post-attack forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time network-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Read more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Endpoint Security and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection services deliver economical in-depth protection for physical servers and VMs, workstations, mobile devices, and Exchange Server. ProSight ESP uses contextual security and modern behavior analysis for continuously monitoring and responding to cyber threats from all vectors. ProSight ESP offers two-way firewall protection, penetration alarms, endpoint management, and web filtering through leading-edge technologies incorporated within a single agent accessible from a unified console. Progent's data protection and virtualization consultants can assist your business to design and implement a ProSight ESP deployment that addresses your company's unique requirements and that allows you demonstrate compliance with legal and industry data protection regulations. Progent will assist you define and configure security policies that ProSight ESP will enforce, and Progent will monitor your network and respond to alerts that call for immediate action. Progent can also assist you to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services so you can get back in business rapidly from a destructive security attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified physical and virtual endpoint protection and Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has worked with advanced backup software providers to create ProSight Data Protection Services, a selection of subscription-based management outsourcing plans that deliver backup-as-a-service. ProSight DPS products manage and track your backup processes and enable transparent backup and rapid recovery of important files/folders, apps, images, and Hyper-V and VMware virtual machines. ProSight DPS helps you protect against data loss resulting from hardware breakdown, natural disasters, fire, malware like ransomware, user error, ill-intentioned employees, or application glitches. Managed backup services available in the ProSight Data Protection Services portfolio include ProSight DPS Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built hardware, and ProSight MSP360 Cloud and On-prem Backup. Your Progent service representative can help you to identify which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that incorporates the infrastructure of leading information security companies to provide web-based control and comprehensive protection for your email traffic. The powerful architecture of Progent's Email Guard integrates a Cloud Protection Layer with a local gateway appliance to offer complete protection against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks (DHAs), and other email-based threats. Email Guard's Cloud Protection Layer serves as a preliminary barricade and keeps most unwanted email from reaching your security perimeter. This decreases your vulnerability to inbound attacks and conserves system bandwidth and storage. Email Guard's on-premises security gateway appliance adds a further level of analysis for incoming email. For outbound email, the on-premises security gateway provides AV and anti-spam filtering, protection against data leaks, and email encryption. The on-premises gateway can also assist Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends inside your security perimeter. For more details, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    ProSight WAN Watch is an infrastructure management service that makes it easy and affordable for smaller businesses to diagram, monitor, enhance and troubleshoot their networking hardware like routers, firewalls, and load balancers plus servers, printers, client computers and other devices. Incorporating cutting-edge Remote Monitoring and Management (RMM) technology, ProSight WAN Watch ensures that infrastructure topology diagrams are always updated, copies and manages the configuration information of virtually all devices on your network, monitors performance, and sends alerts when issues are discovered. By automating time-consuming network management processes, ProSight WAN Watch can knock hours off ordinary tasks like making network diagrams, expanding your network, locating devices that need important updates, or isolating performance issues. Learn more details about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring service that incorporates advanced remote monitoring and management (RMM) techniques to help keep your IT system running efficiently by checking the state of vital assets that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT personnel and your assigned Progent engineering consultant so any potential issues can be addressed before they can impact your network. Find out more details about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its key servers and apps hosted in a secure fault tolerant data center on a fast virtual machine host configured and maintained by Progent's network support experts. Under Progent's ProSight Virtual Hosting service model, the client retains ownership of the data, the OS software, and the applications. Because the environment is virtualized, it can be moved immediately to an alternate hardware environment without requiring a lengthy and difficult configuration process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, maintain, find and safeguard information about your network infrastructure, processes, business apps, and services. You can quickly find passwords or IP addresses and be warned automatically about upcoming expirations of SSLs ,domains or warranties. By cleaning up and managing your IT documentation, you can eliminate up to 50% of time spent trying to find critical information about your IT network. ProSight IT Asset Management includes a centralized location for holding and collaborating on all documents required for managing your network infrastructure like standard operating procedures and How-To's. ProSight IT Asset Management also supports a high level of automation for collecting and relating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you require as soon as you need it. Read more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Remediation
    Progent's Active Protection Against Ransomware is an endpoint protection solution that incorporates next generation behavior machine learning tools to guard endpoints as well as servers and VMs against modern malware assaults like ransomware and email phishing, which routinely escape traditional signature-matching AV products. Progent ASM services protect on-premises and cloud-based resources and offers a single platform to address the complete threat lifecycle including blocking, identification, mitigation, remediation, and post-attack forensics. Top features include one-click rollback with Windows VSS and real-time network-wide immunization against newly discovered attacks. Learn more about Progent's ransomware protection and cleanup services.

  • Progent's Outsourced/Shared Service Desk: Call Center Managed Services
    Progent's Call Center services permit your IT staff to outsource Support Desk services to Progent or split activity for Service Desk support seamlessly between your internal network support resources and Progent's extensive roster of certified IT service engineers and subject matter experts (SMEs). Progent's Shared Help Desk Service offers a seamless supplement to your corporate support team. Client interaction with the Service Desk, provision of technical assistance, problem escalation, ticket creation and tracking, efficiency measurement, and management of the support database are consistent regardless of whether issues are resolved by your internal support organization, by Progent, or both. Learn more about Progent's outsourced/co-managed Help Desk services.

  • Patch Management: Patch Management Services
    Progent's support services for software and firmware patch management offer businesses of any size a versatile and affordable solution for assessing, validating, scheduling, implementing, and documenting software and firmware updates to your ever-evolving IT system. Besides optimizing the protection and functionality of your IT network, Progent's software/firmware update management services allow your IT staff to focus on line-of-business projects and activities that deliver the highest business value from your network. Learn more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Access Security, Endpoint Remediation, and Secure Single Sign-on
    Progent's Duo MFA services utilize Cisco's Duo cloud technology to defend against stolen passwords through the use of two-factor authentication (2FA). Duo supports single-tap identity confirmation on Apple iOS, Google Android, and other personal devices. With Duo 2FA, whenever you log into a protected online account and give your password you are asked to confirm who you are on a unit that only you have and that uses a different ("out-of-band") network channel. A wide range of devices can be utilized for this added form of authentication including a smartphone or watch, a hardware/software token, a landline phone, etc. You can register multiple verification devices. For details about Duo identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services for access security.

  • ProSight Reporting: Real-time and In-depth Reporting for Ticketing and Network Monitoring Applications
    ProSight Reporting is a growing family of in-depth reporting utilities designed to integrate with the industry's leading ticketing and network monitoring programs such as ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and features color coding to surface and contextualize key issues such as inconsistent support follow-through or endpoints with out-of-date AVs. By identifying ticketing or network health concerns clearly and in near-real time, ProSight Reporting improves productivity, lowers management hassle, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Lima 24x7 Crypto Cleanup Support Services, reach out to Progent at 800-462-8800 or go to Contact Progent.