Ransomware : Your Crippling IT Catastrophe
Ransomware  Recovery ConsultantsRansomware has become an escalating cyber pandemic that poses an extinction-level danger for businesses vulnerable to an attack. Different iterations of crypto-ransomware such as Dharma, Fusob, Locky, NotPetya and MongoLock cryptoworms have been replicating for years and still inflict destruction. The latest variants of crypto-ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus daily unnamed viruses, not only encrypt on-line information but also infect most accessible system backups. Information replicated to the cloud can also be corrupted. In a vulnerable environment, this can make any restore operations useless and effectively knocks the network back to square one.

Retrieving services and data following a crypto-ransomware event becomes a sprint against time as the targeted business fights to stop the spread and remove the ransomware and to resume business-critical activity. Since ransomware requires time to move laterally, penetrations are often launched during weekends and nights, when successful attacks typically take longer to discover. This compounds the difficulty of promptly mobilizing and coordinating a qualified mitigation team.

Progent provides a variety of solutions for protecting enterprises from ransomware events. These include user education to become familiar with and avoid phishing exploits, ProSight Active Security Monitoring (ASM) for remote monitoring and management, plus setup and configuration of next-generation security gateways with machine learning capabilities from SentinelOne to identify and quarantine zero-day cyber attacks automatically. Progent in addition can provide the assistance of veteran ransomware recovery engineers with the track record and commitment to re-deploy a breached system as quickly as possible.

Progent's Crypto-Ransomware Restoration Support Services
Following a ransomware attack, even paying the ransom in Bitcoin cryptocurrency does not guarantee that criminal gangs will respond with the needed keys to decrypt any or all of your information. Kaspersky Labs estimated that 17% of crypto-ransomware victims never recovered their data after having sent off the ransom, resulting in increased losses. The risk is also costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is well above the usual ransomware demands, which ZDNET averages to be in the range of $13,000. The other path is to setup from scratch the vital components of your IT environment. Without the availability of full information backups, this calls for a wide complement of skills, top notch project management, and the ability to work non-stop until the job is completed.

For decades, Progent has provided certified expert IT services for businesses in Lima and across the United States and has achieved Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's team of subject matter experts (SMEs) includes professionals who have earned high-level certifications in key technologies like Microsoft, Cisco, VMware, and major distributions of Linux. Progent's cyber security engineers have earned internationally-renowned industry certifications including CISM, CISSP, ISACA CRISC, and GIAC. (Visit Progent's certifications). Progent also has experience in financial systems and ERP software solutions. This breadth of experience provides Progent the capability to knowledgably determine important systems and re-organize the surviving pieces of your IT system following a ransomware penetration and assemble them into a functioning system.

Progent's security team deploys best of breed project management tools to orchestrate the sophisticated restoration process. Progent understands the importance of working rapidly and together with a client's management and IT team members to assign priority to tasks and to get key services back on line as soon as humanly possible.

Case Study: A Successful Ransomware Attack Restoration
A business contacted Progent after their company was crashed by the Ryuk ransomware virus. Ryuk is thought to have been deployed by Northern Korean government sponsored cybercriminals, suspected of using algorithms leaked from America's NSA organization. Ryuk targets specific businesses with limited room for operational disruption and is one of the most lucrative versions of crypto-ransomware. Well Known targets include Data Resolution, a California-based info warehousing and cloud computing company, and the Chicago Tribune. Progent's client is a single-location manufacturing business based in the Chicago metro area with about 500 employees. The Ryuk attack had brought down all business operations and manufacturing processes. Most of the client's data protection had been directly accessible at the beginning of the attack and were destroyed. The client was pursuing financing for paying the ransom demand (exceeding $200,000) and wishfully thinking for good luck, but ultimately engaged Progent.


"I cannot thank you enough in regards to the help Progent provided us during the most critical time of (our) businesses life. We may have had to pay the cyber criminals behind the attack if it wasn't for the confidence the Progent team gave us. That you could get our messaging and production servers back online in less than a week was something I thought impossible. Each person I spoke to or e-mailed at Progent was amazingly focused on getting us restored and was working 24/7 to bail us out."

Progent worked together with the customer to rapidly get our arms around and prioritize the essential services that needed to be recovered in order to continue company operations:

  • Windows Active Directory
  • Electronic Messaging
  • Accounting and Manufacturing Software
To start, Progent followed ransomware event response industry best practices by halting lateral movement and cleaning up infected systems. Progent then began the process of recovering Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Microsoft Exchange email will not work without AD, and the client's MRP system utilized Microsoft SQL, which requires Active Directory services for access to the databases.

Within two days, Progent was able to restore Windows Active Directory to its pre-penetration state. Progent then completed rebuilding and hard drive recovery of key systems. All Exchange Server schema and configuration information were usable, which facilitated the rebuild of Exchange. Progent was also able to locate non-encrypted OST files (Outlook Email Off-Line Folder Files) on various desktop computers and laptops to recover mail data. A recent offline backup of the customer's financials/ERP systems made it possible to restore these required services back on-line. Although significant work still had to be done to recover fully from the Ryuk event, critical services were recovered rapidly:


"For the most part, the assembly line operation showed little impact and we delivered all customer orders."

During the following few weeks important milestones in the recovery process were made through tight cooperation between Progent consultants and the client:

  • In-house web sites were returned to operation with no loss of information.
  • The MailStore Exchange Server exceeding four million archived emails was spun up and available for users.
  • CRM/Orders/Invoicing/AP/Accounts Receivables/Inventory Control functions were fully restored.
  • A new Palo Alto 850 firewall was installed.
  • Ninety percent of the user desktops were operational.

"So much of what went on in the early hours is nearly entirely a haze for me, but I will not forget the countless hours each and every one of your team accomplished to give us our company back. I have been working with Progent for the past 10 years, maybe more, and every time I needed help Progent has outperformed my expectations and delivered as promised. This event was a stunning achievement."

Conclusion
A probable company-ending disaster was dodged through the efforts of top-tier experts, a broad spectrum of knowledge, and close teamwork. Although in retrospect the crypto-ransomware penetration detailed here could have been identified and prevented with up-to-date security solutions and NIST Cybersecurity Framework best practices, user and IT administrator education, and well designed security procedures for data backup and applying software patches, the reality remains that government-sponsored criminal cyber gangs from China, North Korea and elsewhere are tireless and are not going away. If you do fall victim to a ransomware incursion, feel confident that Progent's team of experts has a proven track record in ransomware virus defense, removal, and data disaster recovery.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (and any others who were contributing), I'm grateful for allowing me to get rested after we made it through the initial fire. All of you did an amazing effort, and if any of your guys is visiting the Chicago area, dinner is my treat!"

To read or download a PDF version of this case study, click:
Progent's Ransomware Incident Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Offered by Progent
Progent can provide companies in Lima a portfolio of online monitoring and security assessment services designed to help you to minimize the threat from ransomware. These services incorporate next-generation AI capability to detect new strains of ransomware that are able to escape detection by traditional signature-based anti-virus solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    Progent's ProSight Active Security Monitoring (ASM) is an endpoint protection service that incorporates SentinelOne's cutting edge behavior-based machine learning tools to guard physical and virtual endpoints against modern malware attacks such as ransomware and email phishing, which easily escape traditional signature-based AV tools. ProSight Active Security Monitoring safeguards local and cloud resources and provides a unified platform to address the entire threat progression including blocking, detection, mitigation, cleanup, and forensics. Top capabilities include one-click rollback using Windows Volume Shadow Copy Service and real-time system-wide immunization against new attacks. Progent is a certified SentinelOne Partner. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection (ESP): Physical and Virtual Endpoint Security and Exchange Filtering
    ProSight Enhanced Security Protection services deliver affordable multi-layer security for physical servers and virtual machines, desktops, mobile devices, and Microsoft Exchange. ProSight ESP uses adaptive security and modern behavior analysis for continuously monitoring and reacting to security assaults from all vectors. ProSight ESP delivers firewall protection, intrusion alerts, endpoint control, and web filtering via cutting-edge tools packaged within one agent managed from a single console. Progent's security and virtualization experts can assist you to design and configure a ProSight ESP deployment that meets your company's unique needs and that allows you demonstrate compliance with government and industry data protection regulations. Progent will help you specify and configure security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that call for immediate action. Progent can also assist your company to set up and verify a backup and disaster recovery solution like ProSight Data Protection Services (DPS) so you can recover quickly from a destructive cyber attack like ransomware. Read more about Progent's ProSight Enhanced Security Protection unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Backup and Disaster Recovery Services
    Progent has partnered with advanced backup/restore technology companies to create ProSight Data Protection Services, a selection of subscription-based offerings that provide backup-as-a-service (BaaS). ProSight DPS services automate and monitor your backup processes and allow transparent backup and fast restoration of critical files, apps, system images, and Hyper-V and VMware virtual machines. ProSight DPS lets you avoid data loss resulting from equipment failures, natural calamities, fire, cyber attacks like ransomware, human mistakes, ill-intentioned employees, or application bugs. Managed services in the ProSight Data Protection Services portfolio include ProSight Ataro VM Backup, ProSight Ataro Office 365 Backup, ProSight DPS ECHO Backup based on Barracuda purpose-built storage, and ProSight DPS MSP360 Hybrid Backup. Your Progent service representative can assist you to identify which of these fully managed backup services are best suited for your network.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam filtering service that incorporates the infrastructure of top information security vendors to provide web-based control and comprehensive security for all your email traffic. The powerful architecture of Progent's Email Guard managed service combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, Directory Harvest Attacks, and other email-borne threats. The cloud filter serves as a first line of defense and blocks most unwanted email from making it to your network firewall. This decreases your exposure to external threats and saves system bandwidth and storage space. Email Guard's onsite gateway device provides a further layer of analysis for incoming email. For outbound email, the onsite security gateway provides anti-virus and anti-spam filtering, protection against data leaks, and email encryption. The local gateway can also help Exchange Server to track and protect internal email that stays within your security perimeter. For more details, visit ProSight Email Guard spam and content filtering.

  • ProSight WAN Watch: Infrastructure Management
    Progent's ProSight WAN Watch is a network infrastructure management service that makes it easy and inexpensive for small and mid-sized organizations to map out, track, optimize and troubleshoot their connectivity hardware like routers and switches, firewalls, and load balancers as well as servers, client computers and other devices. Using cutting-edge RMM technology, WAN Watch ensures that network maps are always updated, copies and manages the configuration information of almost all devices connected to your network, tracks performance, and sends alerts when problems are discovered. By automating time-consuming network management activities, ProSight WAN Watch can cut hours off ordinary chores such as network mapping, expanding your network, finding appliances that require critical software patches, or resolving performance issues. Find out more about ProSight WAN Watch network infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Monitoring and Management
    ProSight LAN Watch is Progent's server and desktop monitoring managed service that incorporates state-of-the-art remote monitoring and management (RMM) techniques to help keep your network operating at peak levels by tracking the state of critical computers that power your business network. When ProSight LAN Watch detects an issue, an alarm is sent automatically to your specified IT staff and your Progent consultant so that any looming issues can be resolved before they have a chance to disrupt productivity. Learn more about ProSight LAN Watch server and desktop remote monitoring consulting.

  • ProSight Virtual Hosting: Hosted Virtual Machines at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small or mid-size business can have its key servers and applications hosted in a secure Tier III data center on a fast virtual machine host configured and managed by Progent's IT support professionals. With the ProSight Virtual Hosting service model, the client retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved easily to an alternate hosting solution without requiring a time-consuming and technically risky reinstallation process. With ProSight Virtual Hosting, you are not tied a single hosting service. Find out more details about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    ProSight IT Asset Management service is a cloud-based IT documentation management service that makes it easy to create, update, retrieve and safeguard information about your network infrastructure, procedures, business apps, and services. You can instantly find passwords or serial numbers and be warned automatically about upcoming expirations of SSL certificates ,domains or warranties. By cleaning up and organizing your network documentation, you can eliminate up to half of time wasted searching for vital information about your network. ProSight IT Asset Management features a centralized repository for storing and sharing all documents related to managing your business network like recommended procedures and self-service instructions. ProSight IT Asset Management also offers a high level of automation for collecting and relating IT data. Whether you're planning improvements, doing maintenance, or reacting to a crisis, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about ProSight IT Asset Management service.

  • Active Protection Against Ransomware: Machine Learning-based Ransomware Identification and Cleanup
    Progent's Active Protection Against Ransomware is an endpoint protection (EPP) solution that utilizes next generation behavior machine learning technology to guard endpoints as well as physical and virtual servers against modern malware assaults like ransomware and email phishing, which easily evade legacy signature-based anti-virus products. Progent ASM services protect on-premises and cloud resources and offers a single platform to automate the entire threat lifecycle including blocking, identification, containment, remediation, and forensics. Top capabilities include one-click rollback with Windows Volume Shadow Copy Service (VSS) and automatic network-wide immunization against new threats. Read more about Progent's ransomware protection and recovery services.

  • Progent's Outsourced/Shared Help Desk: Call Center Managed Services
    Progent's Call Center managed services permit your IT group to outsource Call Center services to Progent or split responsibilities for support services seamlessly between your internal network support resources and Progent's extensive roster of IT support technicians, engineers and subject matter experts. Progent's Shared Help Desk Service offers a seamless supplement to your internal network support group. Client interaction with the Service Desk, delivery of technical assistance, issue escalation, trouble ticket generation and tracking, efficiency metrics, and maintenance of the support database are cohesive whether issues are taken care of by your internal IT support resources, by Progent's team, or both. Find out more about Progent's outsourced/co-managed Call Center services.

  • Patch Management: Software/Firmware Update Management Services
    Progent's managed services for software and firmware patch management provide organizations of all sizes a versatile and affordable alternative for assessing, testing, scheduling, implementing, and tracking software and firmware updates to your dynamic information network. Besides maximizing the security and reliability of your IT network, Progent's software/firmware update management services free up time for your in-house IT staff to focus on more strategic projects and activities that deliver maximum business value from your network. Find out more about Progent's software/firmware update management services.

  • ProSight Duo Two-Factor Authentication: Access Security, Endpoint Policy Enforcement, and Protected Single Sign-on
    Progent's Duo authentication service plans utilize Cisco's Duo cloud technology to defend against compromised passwords by using two-factor authentication (2FA). Duo supports one-tap identity confirmation on iOS, Android, and other out-of-band devices. With Duo 2FA, whenever you log into a secured online account and enter your password you are asked to confirm who you are on a unit that only you have and that uses a different network channel. A wide selection of devices can be utilized for this added form of authentication such as a smartphone or watch, a hardware/software token, a landline phone, etc. You may register multiple verification devices. For more information about Duo two-factor identity validation services, visit Cisco Duo MFA two-factor authentication (2FA) services.
For 24x7x365 Lima Crypto Recovery Consulting, reach out to Progent at 800-462-8800 or go to Contact Progent.