Ransomware : Your Worst IT Catastrophe
Crypto-Ransomware  Remediation ProfessionalsCrypto-Ransomware has become a modern cyberplague that presents an extinction-level danger for organizations poorly prepared for an attack. Multiple generations of crypto-ransomware like the Reveton, CryptoWall, Bad Rabbit, SamSam and MongoLock cryptoworms have been out in the wild for a long time and continue to cause damage. More recent strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Nephilim, along with more as yet unnamed malware, not only encrypt on-line data but also infect many configured system backups. Data synched to the cloud can also be rendered useless. In a vulnerable data protection solution, it can render automatic recovery useless and effectively knocks the datacenter back to zero.

Getting back on-line services and data following a crypto-ransomware intrusion becomes a race against the clock as the victim struggles to stop lateral movement and remove the virus and to resume business-critical activity. Because crypto-ransomware needs time to spread, assaults are usually launched on weekends, when penetrations tend to take more time to detect. This multiplies the difficulty of quickly mobilizing and orchestrating an experienced response team.

Progent makes available a variety of services for securing organizations from ransomware penetrations. These include team training to become familiar with and avoid phishing scams, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with machine learning technology from SentinelOne to detect and extinguish new cyber threats automatically. Progent in addition provides the services of expert ransomware recovery professionals with the talent and commitment to re-deploy a compromised system as urgently as possible.

Progent's Ransomware Restoration Help
Following a ransomware attack, paying the ransom demands in cryptocurrency does not provide any assurance that criminal gangs will respond with the needed codes to unencrypt any or all of your data. Kaspersky determined that 17% of ransomware victims never restored their data after having sent off the ransom, resulting in more losses. The gamble is also very costly. Ryuk ransoms frequently range from fifteen to forty BTC ($120,000 and $400,000). This is well higher than the average ransomware demands, which ZDNET averages to be approximately $13,000. The other path is to piece back together the vital elements of your Information Technology environment. Without access to complete system backups, this requires a broad complement of IT skills, well-coordinated project management, and the willingness to work 24x7 until the job is completed.

For twenty years, Progent has offered expert IT services for companies in Lima and throughout the United States and has achieved Microsoft's Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes professionals who have earned high-level certifications in key technologies such as Microsoft, Cisco, VMware, and popular distros of Linux. Progent's security specialists have garnered internationally-renowned certifications including CISA, CISSP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent also has expertise with accounting and ERP application software. This breadth of experience provides Progent the ability to knowledgably identify critical systems and integrate the surviving parts of your network system following a crypto-ransomware penetration and rebuild them into a functioning network.

Progent's security team uses best of breed project management tools to coordinate the complicated restoration process. Progent understands the urgency of working rapidly and in concert with a client's management and IT team members to prioritize tasks and to put the most important services back online as soon as possible.

Case Study: A Successful Ransomware Incident Recovery
A business escalated to Progent after their network was penetrated by the Ryuk ransomware virus. Ryuk is thought to have been developed by Northern Korean government sponsored criminal gangs, suspected of using techniques leaked from the U.S. NSA organization. Ryuk targets specific businesses with little or no tolerance for operational disruption and is among the most lucrative instances of ransomware viruses. Headline organizations include Data Resolution, a California-based data warehousing and cloud computing company, and the Chicago Tribune. Progent's customer is a regional manufacturer headquartered in the Chicago metro area with about 500 workers. The Ryuk intrusion had frozen all essential operations and manufacturing processes. Most of the client's system backups had been directly accessible at the beginning of the intrusion and were encrypted. The client was taking steps for paying the ransom (exceeding two hundred thousand dollars) and hoping for good luck, but ultimately engaged Progent.


"I can't tell you enough about the help Progent gave us throughout the most fearful time of (our) businesses existence. We would have paid the cyber criminals behind the attack if not for the confidence the Progent team gave us. The fact that you were able to get our e-mail system and key servers back into operation faster than 1 week was something I thought impossible. Every single staff member I worked with or communicated with at Progent was totally committed on getting us back online and was working breakneck pace on our behalf."

Progent worked hand in hand the customer to rapidly identify and assign priority to the key services that needed to be restored in order to resume business functions:

  • Microsoft Active Directory
  • Electronic Mail
  • Financials/MRP
To begin, Progent followed AV/Malware Processes penetration mitigation best practices by halting lateral movement and clearing up compromised systems. Progent then initiated the process of bringing back online Microsoft AD, the heart of enterprise networks built upon Microsoft Windows Server technology. Microsoft Exchange Server messaging will not work without AD, and the customer's financials and MRP software utilized Microsoft SQL Server, which requires Windows AD for access to the information.

In less than 2 days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then initiated setup and hard drive recovery on essential servers. All Microsoft Exchange Server data and configuration information were intact, which accelerated the rebuild of Exchange. Progent was also able to find local OST files (Outlook Off-Line Folder Files) on team PCs to recover email messages. A recent offline backup of the customer's financials/MRP systems made it possible to restore these essential applications back servicing users. Although significant work needed to be completed to recover totally from the Ryuk virus, essential services were returned to operations quickly:


"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer shipments."

During the next few weeks key milestones in the restoration project were accomplished through tight collaboration between Progent consultants and the client:

  • Self-hosted web applications were brought back up without losing any data.
  • The MailStore Microsoft Exchange Server exceeding four million archived messages was restored to operations and available for users.
  • CRM/Orders/Invoices/Accounts Payable (AP)/Accounts Receivables/Inventory Control capabilities were fully recovered.
  • A new Palo Alto Networks 850 firewall was brought online.
  • Nearly all of the desktops and laptops were fully operational.

"Much of what was accomplished those first few days is nearly entirely a fog for me, but my team will not forget the care each and every one of the team accomplished to help get our company back. I have utilized Progent for the past ten years, maybe more, and each time Progent has outperformed my expectations and delivered as promised. This situation was a life saver."

Conclusion
A potential business extinction catastrophe was dodged by dedicated experts, a broad range of knowledge, and tight collaboration. Although in analyzing the event afterwards the crypto-ransomware incident described here should have been shut down with up-to-date security solutions and security best practices, user and IT administrator training, and well designed security procedures for information protection and applying software patches, the reality is that government-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do fall victim to a ransomware penetration, feel confident that Progent's team of experts has substantial experience in ransomware virus defense, removal, and data recovery.


"So, to Darrin, Matt, Aaron, Dan, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others that were helping), thank you for allowing me to get some sleep after we made it over the initial fire. All of you did an incredible job, and if anyone is visiting the Chicago area, dinner is my treat!"

To review or download a PDF version of this customer case study, please click:
Progent's Ryuk Virus Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent can provide businesses in Lima a range of online monitoring and security evaluation services designed to help you to minimize your vulnerability to crypto-ransomware. These services include modern AI technology to uncover zero-day strains of ransomware that can evade traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring is an endpoint protection (EPP) solution that utilizes SentinelOne's next generation behavior-based analysis technology to defend physical and virtual endpoint devices against new malware assaults like ransomware and email phishing, which routinely escape legacy signature-based anti-virus tools. ProSight ASM protects local and cloud resources and offers a unified platform to automate the entire malware attack lifecycle including protection, infiltration detection, mitigation, remediation, and post-attack forensics. Key features include single-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against newly discovered threats. Progent is a SentinelOne Partner, reseller, and integrator. Find out more about Progent's ProSight Active Security Monitoring (ASM) endpoint protection and ransomware defense.

  • ProSight Enhanced Security Protection (ESP): Endpoint Protection and Microsoft Exchange Email Filtering
    Progent's ProSight Enhanced Security Protection (ESP) managed services deliver economical multi-layer protection for physical servers and virtual machines, workstations, smartphones, and Microsoft Exchange. ProSight ESP uses adaptive security and advanced machine learning for round-the-clock monitoring and responding to security assaults from all vectors. ProSight ESP offers two-way firewall protection, intrusion alarms, device control, and web filtering via cutting-edge tools packaged within one agent accessible from a single console. Progent's security and virtualization experts can help your business to design and implement a ProSight ESP environment that meets your organization's unique needs and that allows you prove compliance with government and industry data protection regulations. Progent will help you define and implement security policies that ProSight ESP will manage, and Progent will monitor your IT environment and react to alarms that call for urgent attention. Progent's consultants can also assist your company to install and test a backup and restore solution like ProSight Data Protection Services (DPS) so you can recover quickly from a potentially disastrous security attack such as ransomware. Learn more about Progent's ProSight Enhanced Security Protection (ESP) unified physical and virtual endpoint protection and Microsoft Exchange filtering.

  • ProSight Data Protection Services (DPS): Managed Backup and Disaster Recovery Services
    Progent has partnered with leading backup technology providers to create ProSight Data Protection Services (DPS), a portfolio of offerings that deliver backup-as-a-service (BaaS). ProSight DPS services automate and monitor your data backup processes and enable transparent backup and rapid restoration of critical files/folders, applications, images, and virtual machines. ProSight DPS lets your business avoid data loss caused by equipment failures, natural calamities, fire, malware such as ransomware, user error, ill-intentioned insiders, or software bugs. Managed backup services available in the ProSight DPS portfolio include ProSight Altaro VM Backup, ProSight 365 Total Backup (formerly Altaro 365 Backup), ProSight DPS ECHO Backup using Barracuda purpose-built storage, and ProSight MSP360 Hybrid Backup. Your Progent consultant can help you to determine which of these fully managed services are most appropriate for your IT environment.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering and email encryption service that uses the infrastructure of leading information security vendors to deliver web-based management and world-class protection for all your email traffic. The hybrid structure of Progent's Email Guard managed service integrates cloud-based filtering with a local gateway device to offer complete defense against spam, viruses, Denial of Service (DoS) Attacks, Directory Harvest Attacks, and other email-based malware. Email Guard's Cloud Protection Layer acts as a preliminary barricade and keeps the vast majority of unwanted email from making it to your security perimeter. This decreases your exposure to external threats and conserves network bandwidth and storage space. Email Guard's onsite gateway device adds a deeper layer of analysis for inbound email. For outbound email, the local gateway provides AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The onsite security gateway can also assist Exchange Server to monitor and protect internal email that stays inside your security perimeter. For more information, visit Email Guard spam filtering and data leakage protection.

  • ProSight WAN Watch: Network Infrastructure Remote Monitoring and Management
    Progent's ProSight WAN Watch is a network infrastructure monitoring and management service that makes it simple and inexpensive for smaller organizations to map, monitor, reconfigure and troubleshoot their connectivity appliances like routers, firewalls, and wireless controllers plus servers, endpoints and other devices. Using state-of-the-art RMM technology, WAN Watch makes sure that network maps are kept current, copies and manages the configuration information of virtually all devices on your network, tracks performance, and sends alerts when issues are detected. By automating complex management processes, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, reconfiguring your network, finding appliances that require critical updates, or identifying the cause of performance issues. Find out more details about ProSight WAN Watch network infrastructure monitoring and management services.

  • ProSight LAN Watch: Server and Desktop Monitoring
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that uses advanced remote monitoring and management techniques to help keep your IT system running efficiently by tracking the state of critical computers that drive your information system. When ProSight LAN Watch detects a problem, an alarm is transmitted immediately to your designated IT management personnel and your Progent engineering consultant so that all potential problems can be addressed before they have a chance to impact productivity. Learn more details about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size organization can have its critical servers and apps hosted in a protected Tier III data center on a fast virtual host configured and managed by Progent's network support experts. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the operating system software, and the applications. Because the system is virtualized, it can be ported immediately to an alternate hosting environment without requiring a lengthy and difficult reinstallation procedure. With ProSight Virtual Hosting, you are not tied a single hosting provider. Learn more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is a cloud-based IT documentation management service that allows you to create, maintain, retrieve and safeguard information about your network infrastructure, processes, applications, and services. You can instantly find passwords or serial numbers and be warned about impending expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your IT infrastructure documentation, you can eliminate as much as 50% of time thrown away trying to find vital information about your IT network. ProSight IT Asset Management features a common repository for storing and sharing all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also supports advanced automation for gathering and associating IT information. Whether you're planning enhancements, doing regular maintenance, or reacting to an emergency, ProSight IT Asset Management delivers the knowledge you require the instant you need it. Find out more about ProSight IT Asset Management service.

  • Progent Active Defense Against Ransomware: AI-based Ransomware Identification and Cleanup
    Progent's Active Defense Against Ransomware is an endpoint protection (EPP) solution that utilizes cutting edge behavior-based machine learning technology to guard endpoints and servers and VMs against new malware assaults such as ransomware and email phishing, which easily escape traditional signature-matching AV tools. Progent ASM services protect on-premises and cloud resources and provides a single platform to automate the entire malware attack progression including filtering, infiltration detection, mitigation, remediation, and forensics. Key features include single-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ransomware defense and cleanup services.

  • Outsourced/Co-managed Help Center: Support Desk Managed Services
    Progent's Call Desk managed services allow your IT group to outsource Help Desk services to Progent or split responsibilities for Help Desk services transparently between your internal network support group and Progent's nationwide pool of IT service engineers and subject matter experts. Progent's Shared Help Desk Service offers a smooth extension of your internal network support staff. Client interaction with the Service Desk, provision of support services, problem escalation, trouble ticket generation and updates, performance metrics, and management of the service database are cohesive whether incidents are taken care of by your core network support organization, by Progent, or both. Learn more about Progent's outsourced/shared Service Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a flexible and cost-effective solution for evaluating, testing, scheduling, implementing, and tracking software and firmware updates to your ever-evolving information system. In addition to optimizing the security and functionality of your computer network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on line-of-business projects and tasks that derive the highest business value from your information network. Find out more about Progent's patch management support services.

  • ProSight Duo Multi-Factor Authentication: Identity Validation, Endpoint Policy Enforcement, and Secure Single Sign-on
    Progent's Duo MFA services incorporate Cisco's Duo technology to protect against password theft by using two-factor authentication (2FA). Duo enables single-tap identity verification on Apple iOS, Google Android, and other personal devices. Using 2FA, when you log into a secured online account and give your password you are asked to confirm your identity via a device that only you have and that is accessed using a different network channel. A broad range of out-of-band devices can be used as this added form of authentication including an iPhone or Android or wearable, a hardware/software token, a landline phone, etc. You can register several verification devices. For more information about ProSight Duo two-factor identity authentication services, see Cisco Duo MFA two-factor authentication (2FA) services.

  • ProSight Reporting: Real-time Reporting for Ticketing and Network Monitoring Platforms
    ProSight Reporting is an expanding family of in-depth reporting utilities designed to integrate with the industry's leading ticketing and network monitoring programs including ConnectWise Manage, ConnectWise Automate, Customer Thermometer, Auvik, and SentinelOne. ProSight Reporting uses Microsoft Graph and utilizes color coding to surface and contextualize key issues like inconsistent support follow-through or machines with missing patches. By exposing ticketing or network health concerns clearly and in near-real time, ProSight Reporting enhances network value, lowers management overhead, and saves money. For more information, visit ProSight Reporting for ticketing and network monitoring platforms.
For Lima 24-7 Crypto-Ransomware Recovery Consultants, reach out to Progent at 800-462-8800 or go to Contact Progent.